[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

rpms/selinux-policy-targeted/devel policy-20050606.patch, 1.4, 1.5 selinux-policy-targeted.spec, 1.317, 1.318



Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy-targeted/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv2444

Modified Files:
	policy-20050606.patch selinux-policy-targeted.spec 
Log Message:
* Mon Jun 13 2005 Dan Walsh <dwalsh redhat com> 1.23.18-6
- Further cleanup of user separation patches from Ivan


policy-20050606.patch:
 Makefile                              |    5 
 attrib.te                             |    2 
 domains/misc/kernel.te                |    7 -
 domains/misc/local.te                 |    5 
 domains/program/fsadm.te              |    5 
 domains/program/init.te               |    4 
 domains/program/initrc.te             |   10 +
 domains/program/klogd.te              |    2 
 domains/program/login.te              |    2 
 domains/program/modutil.te            |    2 
 domains/program/mount.te              |    2 
 domains/program/restorecon.te         |    5 
 domains/program/ssh.te                |    2 
 domains/program/syslogd.te            |    2 
 domains/program/unused/acct.te        |    2 
 domains/program/unused/alsa.te        |   17 ++
 domains/program/unused/apache.te      |    2 
 domains/program/unused/bonobo.te      |    9 +
 domains/program/unused/consoletype.te |    2 
 domains/program/unused/cups.te        |    6 
 domains/program/unused/dhcpc.te       |    5 
 domains/program/unused/ethereal.te    |   48 ++++++
 domains/program/unused/evolution.te   |   13 +
 domains/program/unused/gconf.te       |   12 +
 domains/program/unused/gift.te        |    1 
 domains/program/unused/gnome.te       |    7 +
 domains/program/unused/gnome_vfs.te   |    9 +
 domains/program/unused/i18n_input.te  |    1 
 domains/program/unused/iceauth.te     |   12 +
 domains/program/unused/orbit.te       |    7 +
 domains/program/unused/pam.te         |    5 
 domains/program/unused/pamconsole.te  |    2 
 domains/program/unused/ping.te        |    2 
 domains/program/unused/rpcd.te        |    3 
 domains/program/unused/thunderbird.te |    9 +
 domains/program/unused/udev.te        |    2 
 domains/program/unused/utempter.te    |    5 
 domains/program/unused/xdm.te         |   20 ++
 domains/program/unused/xserver.te     |    3 
 file_contexts/distros.fc              |    3 
 file_contexts/program/alsa.fc         |    3 
 file_contexts/program/apache.fc       |    2 
 file_contexts/program/bonobo.fc       |    1 
 file_contexts/program/ethereal.fc     |    3 
 file_contexts/program/evolution.fc    |    8 +
 file_contexts/program/fontconfig.fc   |    6 
 file_contexts/program/gconf.fc        |    5 
 file_contexts/program/gnome.fc        |    8 +
 file_contexts/program/gnome_vfs.fc    |    1 
 file_contexts/program/iceauth.fc      |    3 
 file_contexts/program/mozilla.fc      |    3 
 file_contexts/program/orbit.fc        |    3 
 file_contexts/program/thunderbird.fc  |    2 
 file_contexts/program/xauth.fc        |    1 
 file_contexts/program/xdm.fc          |    1 
 file_contexts/program/xserver.fc      |    2 
 file_contexts/types.fc                |    2 
 macros/admin_macros.te                |    8 -
 macros/base_user_macros.te            |   36 ++++-
 macros/global_macros.te               |   37 ++---
 macros/program/bonobo_macros.te       |  119 +++++++++++++++++
 macros/program/dbusd_macros.te        |    3 
 macros/program/ethereal_macros.te     |   82 +++++++++++
 macros/program/evolution_macros.te    |  238 ++++++++++++++++++++++++++++++++++
 macros/program/fontconfig_macros.te   |   38 ++++-
 macros/program/games_domain.te        |   38 +----
 macros/program/gconf_macros.te        |   55 +++++++
 macros/program/gift_macros.te         |   57 ++------
 macros/program/gnome_macros.te        |  115 ++++++++++++++++
 macros/program/gnome_vfs_macros.te    |   49 +++++++
 macros/program/gpg_agent_macros.te    |    1 
 macros/program/gpg_macros.te          |    3 
 macros/program/ice_macros.te          |   38 +++++
 macros/program/iceauth_macros.te      |   39 +++++
 macros/program/lpr_macros.te          |    3 
 macros/program/mail_client_macros.te  |   60 ++++++++
 macros/program/mozilla_macros.te      |   63 +++------
 macros/program/orbit_macros.te        |   44 ++++++
 macros/program/spamassassin_macros.te |    7 -
 macros/program/ssh_agent_macros.te    |    3 
 macros/program/thunderbird_macros.te  |   59 ++++++++
 macros/program/userhelper_macros.te   |    3 
 macros/program/x_client_macros.te     |   12 -
 macros/program/xauth_macros.te        |    2 
 macros/program/xdm_macros.te          |   11 +
 macros/program/xserver_macros.te      |   17 +-
 macros/user_macros.te                 |    4 
 mls                                   |   41 ++---
 net_contexts                          |   25 +--
 targeted/domains/program/crond.te     |    2 
 targeted/domains/unconfined.te        |    3 
 tunables/distro.tun                   |    2 
 tunables/tunable.tun                  |    4 
 types/device.te                       |    7 +
 types/devpts.te                       |    2 
 types/file.te                         |    4 
 types/network.te                      |    8 -
 types/security.te                     |    2 
 98 files changed, 1392 insertions(+), 268 deletions(-)

Index: policy-20050606.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/policy-20050606.patch,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- policy-20050606.patch	10 Jun 2005 20:44:03 -0000	1.4
+++ policy-20050606.patch	13 Jun 2005 19:14:18 -0000	1.5
@@ -296,10 +296,32 @@
  allow ptal_t self:fifo_file rw_file_perms;
  allow ptal_t device_t:dir read;
  allow ptal_t printer_device_t:chr_file rw_file_perms;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.23.18/domains/program/unused/dhcpc.te
+--- nsapolicy/domains/program/unused/dhcpc.te	2005-04-27 10:28:50.000000000 -0400
++++ policy-1.23.18/domains/program/unused/dhcpc.te	2005-06-13 11:52:32.000000000 -0400
+@@ -68,6 +68,9 @@
+ ifdef(`cardmgr.te', `
+ allow ping_t cardmgr_t:fd use;
+ ') dnl end if cardmgr
++', `
++allow dhcpc_t self:capability setuid;
++allow dhcpc_t self:rawip_socket create_socket_perms;
+ ') dnl end if ping
+ 
+ ifdef(`dhcpd.te', `', `
+@@ -143,7 +146,7 @@
+ can_exec(dhcpc_t, initrc_exec_t)
+ ifdef(`ypbind.te', `
+ domain_auto_trans(dhcpc_t, ypbind_exec_t, ypbind_t)
+-allow dhcpc_t ypbind_var_run_t:file r_file_perms;
++allow dhcpc_t ypbind_var_run_t:file { r_file_perms unlink };
+ ')
+ ifdef(`ntpd.te', `
+ domain_auto_trans(dhcpc_t, ntpd_exec_t, ntpd_t)
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ethereal.te policy-1.23.18/domains/program/unused/ethereal.te
 --- nsapolicy/domains/program/unused/ethereal.te	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.18/domains/program/unused/ethereal.te	2005-06-08 09:04:15.000000000 -0400
-@@ -0,0 +1,73 @@
++++ policy-1.23.18/domains/program/unused/ethereal.te	2005-06-13 11:53:36.000000000 -0400
+@@ -0,0 +1,48 @@
 +# DESC - Ethereal  
 +#
 +# Author: Ivan Gyurdiev <ivg2 cornell edu>
@@ -310,39 +332,6 @@
 +type ethereal_exec_t, file_type, exec_type, sysadmfile;
 +
 +########################################################
-+# ethereal_common(app_prefix) - common ethereal rules
-+#
-+define(`ethereal_common', `
-+
-+uses_shlib($1_t)
-+read_locale($1_t)
-+
-+# Terminal output
-+access_terminal($1_t, sysadm)
-+
-+# /proc
-+read_sysctl($1_t)
-+allow $1_t { self proc_t }:dir { read search getattr };
-+allow $1_t { self proc_t }:{ file lnk_file } { read getattr };
-+
-+# Access root
-+allow $1_t root_t:dir search;
-+
-+# Read ethereal files in /usr
-+allow $1_t usr_t:file { read getattr };
-+
-+# /etc/nsswitch.conf
-+allow $1_t etc_t:file { read getattr };
-+
-+# Networking privileges
-+allow $1_t self:netlink_route_socket create_netlink_socket_perms;
-+allow $1_t self:unix_stream_socket create_stream_socket_perms;
-+allow $1_t self:udp_socket create_socket_perms;
-+allow $1_t self:packet_socket create_socket_perms; 
-+
-+') dnl ethereal_common
-+
-+########################################################
 +# Tethereal 
 +#
 +
@@ -353,26 +342,34 @@
 +domain_auto_trans(sysadm_t, tethereal_exec_t, tethereal_t)
 +role sysadm_r types tethereal_t;
 +
-+# Ethereal common
-+ethereal_common(tethereal)
++uses_shlib(tethereal_t)
++read_locale(tethereal_t)
 +
-+########################################################
-+# Ethereal (GNOME) 
-+#
++# Terminal output
++access_terminal(tethereal_t, sysadm)
 +
-+ifdef(`gnome.te', `
++# /proc
++read_sysctl(tethereal_t)
++allow tethereal_t { self proc_t }:dir { read search getattr };
++allow tethereal_t { self proc_t }:{ file lnk_file } { read getattr };
 +
-+# Type for program
-+type ethereal_t, domain, nscd_client_domain;
++# Access root
++allow tethereal_t root_t:dir search;
 +
-+# Transition from sysadm type
-+domain_auto_trans(sysadm_t, ethereal_exec_t, ethereal_t)
-+role sysadm_r types ethereal_t;
++# Read ethereal files in /usr
++allow tethereal_t usr_t:file { read getattr };
++
++# /etc/nsswitch.conf
++allow tethereal_t etc_t:file { read getattr };
 +
-+# Ethereal common
-+ethereal_common(ethereal)
++# Ethereal sysadm rules
++ethereal_networking(tethereal)
 +
-+') dnl gnome.te
++# FIXME: policy is incomplete
++
++#####################################
++# Ethereal (GNOME) policy can be found
++# in ethereal_macros.te 
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/evolution.te policy-1.23.18/domains/program/unused/evolution.te
 --- nsapolicy/domains/program/unused/evolution.te	1969-12-31 19:00:00.000000000 -0500
 +++ policy-1.23.18/domains/program/unused/evolution.te	2005-06-08 09:04:15.000000000 -0400
@@ -408,15 +405,12 @@
 +# Everything else is in macros/gconfd_macros.te
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/gift.te policy-1.23.18/domains/program/unused/gift.te
 --- nsapolicy/domains/program/unused/gift.te	2005-04-27 10:28:50.000000000 -0400
-+++ policy-1.23.18/domains/program/unused/gift.te	2005-06-08 09:04:15.000000000 -0400
-@@ -5,5 +5,9 @@
++++ policy-1.23.18/domains/program/unused/gift.te	2005-06-13 11:53:36.000000000 -0400
+@@ -5,5 +5,6 @@
  
  type gift_exec_t, file_type, exec_type, sysadmfile;
  type giftd_exec_t, file_type, exec_type, sysadmfile;
 +type giftd_port_t, port_type;
-+type giftd_openft_port_t, port_type;
-+type giftd_fasttrack_port_t, port_type;
-+type giftd_gnutella_port_t, port_type;
  
  # Everything else is in macros/gift_macros.te
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/gnome.te policy-1.23.18/domains/program/unused/gnome.te
@@ -764,6 +758,14 @@
 @@ -0,0 +1,2 @@
 +/usr/bin/thunderbird.*			--	system_u:object_r:thunderbird_exec_t
 +HOME_DIR/\.thunderbird(/.*)?			system_u:object_r:ROLE_thunderbird_home_t
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/xauth.fc policy-1.23.18/file_contexts/program/xauth.fc
+--- nsapolicy/file_contexts/program/xauth.fc	2005-03-11 15:31:06.000000000 -0500
++++ policy-1.23.18/file_contexts/program/xauth.fc	2005-06-13 11:53:36.000000000 -0400
+@@ -1,3 +1,4 @@
+ # xauth
+ /usr/X11R6/bin/xauth	--	system_u:object_r:xauth_exec_t
++HOME_DIR/\.xauth.*	--	system_u:object_r:ROLE_xauth_home_t
+ HOME_DIR/\.Xauthority.* --	system_u:object_r:ROLE_xauth_home_t
 diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/xdm.fc policy-1.23.18/file_contexts/program/xdm.fc
 --- nsapolicy/file_contexts/program/xdm.fc	2005-02-24 14:51:09.000000000 -0500
 +++ policy-1.23.18/file_contexts/program/xdm.fc	2005-06-08 12:04:29.000000000 -0400
@@ -836,7 +838,7 @@
  
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.23.18/macros/base_user_macros.te
 --- nsapolicy/macros/base_user_macros.te	2005-06-01 06:11:23.000000000 -0400
-+++ policy-1.23.18/macros/base_user_macros.te	2005-06-10 14:12:08.000000000 -0400
++++ policy-1.23.18/macros/base_user_macros.te	2005-06-13 11:54:27.000000000 -0400
 @@ -22,6 +22,14 @@
  undefine(`base_user_domain')
  define(`base_user_domain', `
@@ -852,20 +854,7 @@
  allow $1_t self:capability { setgid chown fowner };
  dontaudit $1_t self:capability { sys_nice fsetid };
  
-@@ -50,6 +58,12 @@
- allow $1_t texrel_shlib_t:file execmod;
- }
- 
-+# Allow user to run restorecon and relabel files
-+can_getsecurity($1_t)
-+allow $1_t default_context_t:file read;
-+allow $1_t file_context_t:file read;
-+
-+
- #
- # kdeinit wants this access
- #
-@@ -85,6 +99,11 @@
+@@ -85,6 +93,11 @@
  allow $1_t $1_home_t:{ notdevfile_class_set dir } { relabelfrom relabelto };
  can_setfscreate($1_t)
  
@@ -877,7 +866,7 @@
  allow $1_t autofs_t:dir { search getattr };
  
  if (use_nfs_home_dirs) {
-@@ -182,10 +201,11 @@
+@@ -182,10 +195,11 @@
  ifdef(`screen.te', `screen_domain($1)')
  ifdef(`tvtime.te', `tvtime_domain($1)')
  ifdef(`mozilla.te', `mozilla_domain($1)')
@@ -890,7 +879,7 @@
  ifdef(`startx.te', `xserver_domain($1)')
  ifdef(`lpr.te', `lpr_domain($1)')
  ifdef(`ssh.te', `ssh_domain($1)')
-@@ -196,10 +216,24 @@
+@@ -196,10 +210,24 @@
  ifdef(`uml.te', `uml_domain($1)')
  ifdef(`cdrecord.te', `cdrecord_domain($1)')
  ifdef(`mplayer.te', `mplayer_domains($1)')
@@ -916,7 +905,7 @@
  # Instantiate a derived domain for user cron jobs.
  ifdef(`crond.te', `crond_domain($1)')
  
-@@ -294,8 +328,6 @@
+@@ -294,8 +322,6 @@
  x_client_domain($1, $1)
  
  ifdef(`xserver.te', `
@@ -925,7 +914,7 @@
  allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms;
  ')
  
-@@ -375,8 +407,6 @@
+@@ -375,8 +401,6 @@
  dontaudit $1_t self:socket create;
  dontaudit $1_t sysctl_net_t:dir search;
  
@@ -1168,8 +1157,8 @@
  allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ethereal_macros.te policy-1.23.18/macros/program/ethereal_macros.te
 --- nsapolicy/macros/program/ethereal_macros.te	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.18/macros/program/ethereal_macros.te	2005-06-08 09:04:15.000000000 -0400
-@@ -0,0 +1,61 @@
++++ policy-1.23.18/macros/program/ethereal_macros.te	2005-06-13 11:53:36.000000000 -0400
+@@ -0,0 +1,82 @@
 +# DESC - Ethereal  
 +#
 +# Author: Ivan Gyurdiev <ivg2 cornell edu>
@@ -1189,6 +1178,8 @@
 +allow $1_t self:unix_stream_socket create_stream_socket_perms;
 +allow $1_t self:tcp_socket create_socket_perms;
 +
++allow $1_t self:capability { dac_override dac_read_search net_raw setgid setuid };
++
 +# Resolve names via DNS
 +can_resolve($1_t)
 +
@@ -1207,16 +1198,35 @@
 +domain_auto_trans($1_t, ethereal_exec_t, $1_ethereal_t)
 +role $1_r types $1_ethereal_t;
 +
++# Manual transition from userhelper 
++ifdef(`userhelper.te', `
++allow $1_userhelper_t { sysadm_ethereal_t $1_ethereal_t }:process { transition siginh rlimitinh noatsecure };
++allow sysadm_ethereal_t $1_userhelper_t:fd use;
++allow sysadm_ethereal_t $1_userhelper_t:process sigchld;
++')
++
 +# X, GNOME
 +x_client_domain($1_ethereal, $1)
 +gnome_application($1_ethereal, $1)
 +gnome_file_dialog($1_ethereal, $1)
 +
++# Why does it write this?
++ifdef(`snmpd.te', `
++dontaudit sysadm_ethereal_t snmpd_var_lib_t:file write;
++')
++
 +# /home/.ethereal
 +home_domain($1, ethereal)
++file_type_auto_trans($1_ethereal_t, $1_home_dir_t, $1_ethereal_home_t, dir)
 +
 +# Enable restricted networking rules for sysadm - this is shared w/ tethereal
-+ifelse($1, `sysadm', `ethereal_networking($1_ethereal)', `')
++ifelse($1, `sysadm', `
++ethereal_networking($1_ethereal) 
++
++# Ethereal tries to write to user terminal
++dontaudit sysadm_ethereal_t user_tty_type:chr_file { read write };
++dontaudit sysadm_ethereal_t unpriv_userdomain:fd use;
++', `')
 +
 +# Store temporary files
 +tmp_domain($1_ethereal)
@@ -1475,8 +1485,8 @@
 +') dnl end evolution_domains
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/fontconfig_macros.te policy-1.23.18/macros/program/fontconfig_macros.te
 --- nsapolicy/macros/program/fontconfig_macros.te	2005-05-31 14:20:00.000000000 -0400
-+++ policy-1.23.18/macros/program/fontconfig_macros.te	2005-06-10 14:15:12.000000000 -0400
-@@ -8,17 +8,40 @@
++++ policy-1.23.18/macros/program/fontconfig_macros.te	2005-06-13 11:53:36.000000000 -0400
+@@ -8,17 +8,45 @@
  # read_fonts(domain, role_prefix) - 
  #         allow domain to read fonts, optionally per/user
  #  
@@ -1495,11 +1505,14 @@
 +allow $1_t $1_fonts_t:{ dir file } { relabelto relabelfrom };
  
 -') dnl gnome_domain
++create_dir_file($1_t, $1_fonts_config_t)
++allow $1_t $1_fonts_config_t:file { relabelto relabelfrom };
+ 
 +# For startup relabel
 +allow $1_t $1_fonts_cache_t:{ dir file } { relabelto relabelfrom };
  
 +') dnl fontconfig_domain
- 
++
 +####################
 +
 +define(`read_fonts', `
@@ -1510,7 +1523,9 @@
 +
 +ifelse(`$2', `', `', `
 +
-+allow $1 $2_fonts_cache_t:file create_file_perms;
++# Manipulate the global font cache
++create_dir_file($1, $2_fonts_cache_t)
++
 +# Read per user fonts and font config
 +r_dir_file($1, $2_fonts_t)
 +r_dir_file($1, $2_fonts_config_t)
@@ -2286,8 +2301,8 @@
  }
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/orbit_macros.te policy-1.23.18/macros/program/orbit_macros.te
 --- nsapolicy/macros/program/orbit_macros.te	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.18/macros/program/orbit_macros.te	2005-06-10 14:18:14.000000000 -0400
-@@ -0,0 +1,48 @@
++++ policy-1.23.18/macros/program/orbit_macros.te	2005-06-13 11:53:36.000000000 -0400
+@@ -0,0 +1,44 @@
 +#
 +# ORBit related types 
 +#
@@ -2303,12 +2318,11 @@
 +ifdef(`orbit_domain_$1_$2', `', `
 +define(`orbit_domain_$1_$2')
 +
-+# Type for ORBit sockets
-+type $1_orbit_tmp_t, file_type, $2_file_type, sysadmfile, tmpfile;
-+
 +# Relabel directory (startup script)
 +allow $1_t $1_orbit_tmp_t:{ dir file } { relabelfrom relabelto };
 +
++# Type for ORBit sockets
++type $1_orbit_tmp_t, file_type, $2_file_type, sysadmfile, tmpfile;
 +file_type_auto_trans($1_t, $2_orbit_tmp_t, $1_orbit_tmp_t)
 +allow $1_t tmp_t:dir { read search getattr };
 +
@@ -2332,9 +2346,6 @@
 +can_unix_connect($1_t, $2_t)
 +allow $1_t $2_orbit_tmp_t:sock_file write;
 +
-+# Why do they do that?
-+dontaudit $1_t $2_orbit_tmp_t:dir setattr;
-+
 +') dnl orbit_connect
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/spamassassin_macros.te policy-1.23.18/macros/program/spamassassin_macros.te
 --- nsapolicy/macros/program/spamassassin_macros.te	2005-04-27 10:28:55.000000000 -0400


Index: selinux-policy-targeted.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/selinux-policy-targeted.spec,v
retrieving revision 1.317
retrieving revision 1.318
diff -u -r1.317 -r1.318
--- selinux-policy-targeted.spec	10 Jun 2005 20:44:03 -0000	1.317
+++ selinux-policy-targeted.spec	13 Jun 2005 19:14:18 -0000	1.318
@@ -11,7 +11,7 @@
 Summary: SELinux %{type} policy configuration
 Name: selinux-policy-%{type}
 Version: 1.23.18
-Release: 5
+Release: 6
 License: GPL
 Group: System Environment/Base
 Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -234,6 +234,9 @@
 exit 0
 
 %changelog
+* Mon Jun 13 2005 Dan Walsh <dwalsh redhat com> 1.23.18-6
+- Further cleanup of user separation patches from Ivan
+
 * Fri Jun 10 2005 Dan Walsh <dwalsh redhat com> 1.23.18-5
 - Further cleanup of user separation patches from Ivan
 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]