From 3b13a834c7dd78dca06c0f12d9695cc17bff9572 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Aug 24 2007 14:20:35 +0000 Subject: - Allow xserver to be started by unconfined process and talk to tty --- diff --git a/policy-20070703.patch b/policy-20070703.patch index 12fe3b2..fac8a98 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -2226,7 +2226,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t corenet_sendrecv_all_server_packets(vmware_host_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.0.6/policy/modules/apps/wine.if --- nsaserefpolicy/policy/modules/apps/wine.if 2007-05-29 14:10:48.000000000 -0400 -+++ serefpolicy-3.0.6/policy/modules/apps/wine.if 2007-08-22 08:03:53.000000000 -0400 ++++ serefpolicy-3.0.6/policy/modules/apps/wine.if 2007-08-24 10:17:01.000000000 -0400 @@ -18,3 +18,34 @@ corecmd_search_bin($1) domtrans_pattern($1, wine_exec_t, wine_t) @@ -7347,7 +7347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.0.6/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.6/policy/modules/services/samba.te 2007-08-22 08:03:53.000000000 -0400 ++++ serefpolicy-3.0.6/policy/modules/services/samba.te 2007-08-23 17:07:11.000000000 -0400 @@ -190,6 +190,8 @@ miscfiles_read_localization(samba_net_t) @@ -7376,10 +7376,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb domain_use_interactive_fds(smbd_t) domain_dontaudit_list_all_domains_state(smbd_t) -@@ -350,6 +353,10 @@ +@@ -350,6 +353,14 @@ ') optional_policy(` ++ kerberos_read_keytab(smbd_t) ++') ++ ++optional_policy(` + lpd_exec_lpr(smbd_t) +') + @@ -7387,7 +7391,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb cups_read_rw_config(smbd_t) cups_stream_connect(smbd_t) ') -@@ -533,6 +540,7 @@ +@@ -533,6 +544,7 @@ storage_raw_write_fixed_disk(smbmount_t) term_list_ptys(smbmount_t) @@ -7395,7 +7399,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb corecmd_list_bin(smbmount_t) -@@ -556,6 +564,11 @@ +@@ -556,6 +568,11 @@ sysnet_read_config(smbmount_t) userdom_use_all_users_fds(smbmount_t) @@ -7407,7 +7411,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb optional_policy(` nis_use_ypbind(smbmount_t) -@@ -570,15 +583,18 @@ +@@ -570,15 +587,18 @@ # SWAT Local policy # @@ -7429,7 +7433,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb rw_files_pattern(swat_t,samba_etc_t,samba_etc_t) -@@ -597,7 +613,9 @@ +@@ -597,7 +617,9 @@ manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t) files_pid_filetrans(swat_t,swat_var_run_t,file) @@ -7440,7 +7444,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -622,17 +640,20 @@ +@@ -622,17 +644,20 @@ dev_read_urand(swat_t) @@ -7461,7 +7465,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb logging_search_logs(swat_t) miscfiles_read_localization(swat_t) -@@ -660,6 +681,24 @@ +@@ -660,6 +685,24 @@ nscd_socket_use(swat_t) ') @@ -7486,7 +7490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ######################################## # # Winbind local policy -@@ -672,7 +711,6 @@ +@@ -672,7 +715,6 @@ allow winbind_t self:fifo_file { read write }; allow winbind_t self:unix_dgram_socket create_socket_perms; allow winbind_t self:unix_stream_socket create_stream_socket_perms; @@ -7494,7 +7498,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow winbind_t self:tcp_socket create_stream_socket_perms; allow winbind_t self:udp_socket create_socket_perms; -@@ -709,6 +747,8 @@ +@@ -709,6 +751,8 @@ manage_sock_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t) files_pid_filetrans(winbind_t,winbind_var_run_t,file) @@ -7503,7 +7507,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_read_kernel_sysctls(winbind_t) kernel_list_proc(winbind_t) kernel_read_proc_symlinks(winbind_t) -@@ -733,7 +773,9 @@ +@@ -733,7 +777,9 @@ fs_getattr_all_fs(winbind_t) fs_search_auto_mountpoints(winbind_t) @@ -7513,7 +7517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb domain_use_interactive_fds(winbind_t) -@@ -746,9 +788,6 @@ +@@ -746,9 +792,6 @@ miscfiles_read_localization(winbind_t) @@ -7523,7 +7527,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb userdom_dontaudit_use_unpriv_user_fds(winbind_t) userdom_dontaudit_search_sysadm_home_dirs(winbind_t) userdom_priveleged_home_dir_manager(winbind_t) -@@ -758,10 +797,6 @@ +@@ -758,10 +801,6 @@ ') optional_policy(` @@ -7534,7 +7538,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb seutil_sigchld_newrole(winbind_t) ') -@@ -804,6 +839,7 @@ +@@ -804,6 +843,7 @@ optional_policy(` squid_read_log(winbind_helper_t) squid_append_log(winbind_helper_t) @@ -8195,7 +8199,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.6/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2007-07-03 07:06:27.000000000 -0400 -+++ serefpolicy-3.0.6/policy/modules/services/xserver.if 2007-08-22 08:03:53.000000000 -0400 ++++ serefpolicy-3.0.6/policy/modules/services/xserver.if 2007-08-24 10:18:58.000000000 -0400 @@ -126,6 +126,8 @@ # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev($1_xserver_t) @@ -8416,7 +8420,45 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Transition to a user Xauthority domain. ## ## -@@ -1136,7 +1244,7 @@ +@@ -987,6 +1095,37 @@ + + ######################################## + ## ++## Execute xsever in the xdm_xserver domain, and ++## allow the specified role the xdm_xserver domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++## ++## ++## The role to be allowed the xdm_xserver domain. ++## ++## ++## ++## ++## The type of the terminal allow the xdm_xserver domain to use. ++## ++## ++# ++interface(`xserver_run_xdm_xserver',` ++ gen_require(` ++ type xdm_xserver_t; ++ ') ++ ++ xserver_domtrans_xdm_xserver($1) ++ role $2 types xdm_xserver_t; ++ allow xdm_xserver_t $3:chr_file rw_term_perms; ++') ++ ++######################################## ++## + ## Make an X session script an entrypoint for the specified domain. + ## + ## +@@ -1136,7 +1275,7 @@ type xdm_xserver_tmp_t; ') @@ -8425,7 +8467,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1325,3 +1433,62 @@ +@@ -1325,3 +1464,62 @@ files_search_tmp($1) stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) ') @@ -11457,7 +11499,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.6/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.6/policy/modules/system/unconfined.te 2007-08-22 08:03:53.000000000 -0400 ++++ serefpolicy-3.0.6/policy/modules/system/unconfined.te 2007-08-24 10:16:34.000000000 -0400 @@ -5,28 +5,36 @@ # # Declarations @@ -11628,7 +11670,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` - xserver_domtrans_xdm_xserver(unconfined_t) +- xserver_domtrans_xdm_xserver(unconfined_t) ++ xserver_run_xdm_xserver(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) + xserver_xdm_rw_shm(unconfined_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index e6ddff2..e420bf3 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.0.6 -Release: 1%{?dist} +Release: 2%{?dist} License: GPL Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -97,9 +97,6 @@ make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} %{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/contexts/files \ touch %{buildroot}/%{_sysconfdir}/selinux/%1/modules/semanage.read.LOCK \ touch %{buildroot}/%{_sysconfdir}/selinux/%1/modules/semanage.trans.LOCK \ -make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 enableaudit \ -make -W base.conf NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 base.pp \ -install -m0644 base.pp %{buildroot}%{_usr}/share/selinux/%1/enableaudit.pp \ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/booleans \ touch %{buildroot}%{_sysconfdir}/selinux/%1/seusers \ touch %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \ @@ -360,6 +357,9 @@ exit 0 %endif %changelog +* Fri Aug 24 2007 Dan Walsh 3.0.6-2 +- Allow xserver to be started by unconfined process and talk to tty + * Wed Aug 22 2007 Dan Walsh 3.0.6-1 - Upgrade to upstream to grab postgressql changes