From 5bc3cbd79552491e30b816c560ec9f4985650f8a Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Apr 27 2010 15:49:51 +0000 Subject: - Allow sandbox_xserver to connectto unconfined stream Resolves: #585171 --- diff --git a/policy-F13.patch b/policy-F13.patch index 5a1c439..fbc0344 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -5382,7 +5382,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud /var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.7.19/policy/modules/apps/pulseaudio.if --- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2010-03-29 15:04:22.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/pulseaudio.if 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/apps/pulseaudio.if 2010-04-27 10:22:12.000000000 -0400 @@ -186,6 +186,25 @@ ######################################## @@ -5687,7 +5687,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +# No types are sandbox_exec_t diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.19/policy/modules/apps/sandbox.if --- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.if 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.if 2010-04-27 09:54:37.000000000 -0400 @@ -0,0 +1,287 @@ + +## policy for sandbox @@ -5731,7 +5731,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. + dontaudit sandbox_xserver_t $1:fifo_file rw_inherited_fifo_file_perms; + dontaudit sandbox_xserver_t $1:tcp_socket rw_socket_perms; + dontaudit sandbox_xserver_t $1:udp_socket rw_socket_perms; -+ allow sandbox_xserver_t $1:unix_stream_socket { read write }; ++ allow sandbox_xserver_t $1:unix_stream_socket { connectto rw_socket_perms }; + + allow sandbox_x_domain $1:process { sigchld signal }; + allow sandbox_x_domain sandbox_x_domain:process signal; @@ -9044,7 +9044,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.19/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2010-03-18 06:48:09.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/kernel/kernel.if 2010-04-21 17:30:44.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/kernel/kernel.if 2010-04-27 09:14:39.000000000 -0400 @@ -1959,7 +1959,7 @@ ') @@ -20455,6 +20455,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd +optional_policy(` + unconfined_dontaudit_rw_packet_sockets(nscd_t) +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.te serefpolicy-3.7.19/policy/modules/services/nslcd.te +--- nsaserefpolicy/policy/modules/services/nslcd.te 2009-12-18 11:38:25.000000000 -0500 ++++ serefpolicy-3.7.19/policy/modules/services/nslcd.te 2010-04-27 09:14:53.000000000 -0400 +@@ -35,6 +35,8 @@ + manage_sock_files_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t) + files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir }) + ++kernel_read_system_state(nslcd_t) ++ + files_read_etc_files(nslcd_t) + + auth_use_nsswitch(nslcd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.te serefpolicy-3.7.19/policy/modules/services/ntop.te --- nsaserefpolicy/policy/modules/services/ntop.te 2010-04-05 14:44:26.000000000 -0400 +++ serefpolicy-3.7.19/policy/modules/services/ntop.te 2010-04-14 10:48:18.000000000 -0400 @@ -28849,7 +28861,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.19/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2010-03-18 10:35:11.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/init.te 2010-04-26 14:20:49.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/system/init.te 2010-04-27 10:22:42.000000000 -0400 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart, false) @@ -29066,7 +29078,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -517,6 +571,19 @@ +@@ -517,6 +571,23 @@ optional_policy(` bind_manage_config_dirs(initrc_t) bind_write_config(initrc_t) @@ -29083,10 +29095,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t + + optional_policy(` + ldap_read_db_files(initrc_t) ++ ') ++ ++ optional_policy(` ++ pulseaudio_stream_connect(initrc_t) ') optional_policy(` -@@ -542,6 +609,35 @@ +@@ -542,6 +613,35 @@ ') ') @@ -29122,7 +29138,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -554,6 +650,8 @@ +@@ -554,6 +654,8 @@ optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -29131,7 +29147,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -594,6 +692,7 @@ +@@ -594,6 +696,7 @@ dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -29139,7 +29155,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` consolekit_dbus_chat(initrc_t) -@@ -647,11 +746,6 @@ +@@ -647,11 +750,6 @@ ') optional_policy(` @@ -29151,7 +29167,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t kerberos_use(initrc_t) ') -@@ -690,12 +784,22 @@ +@@ -690,12 +788,22 @@ ') optional_policy(` @@ -29174,7 +29190,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -718,6 +822,10 @@ +@@ -718,6 +826,10 @@ ') optional_policy(` @@ -29185,7 +29201,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -760,8 +868,6 @@ +@@ -760,8 +872,6 @@ # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -29194,7 +29210,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -774,10 +880,12 @@ +@@ -774,10 +884,12 @@ squid_manage_logs(initrc_t) ') @@ -29207,7 +29223,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -790,6 +898,7 @@ +@@ -790,6 +902,7 @@ optional_policy(` udev_rw_db(initrc_t) @@ -29215,7 +29231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t udev_manage_pid_files(initrc_t) ') -@@ -798,11 +907,18 @@ +@@ -798,11 +911,18 @@ ') optional_policy(` @@ -29235,7 +29251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -812,6 +928,25 @@ +@@ -812,6 +932,25 @@ optional_policy(` mono_domtrans(initrc_t) ') @@ -29261,7 +29277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -837,3 +972,34 @@ +@@ -837,3 +976,34 @@ optional_policy(` zebra_read_config(initrc_t) ') @@ -29298,7 +29314,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.19/policy/modules/system/ipsec.te --- nsaserefpolicy/policy/modules/system/ipsec.te 2010-03-18 06:48:09.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/ipsec.te 2010-04-26 11:46:12.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/system/ipsec.te 2010-04-27 10:28:39.000000000 -0400 @@ -73,7 +73,7 @@ # @@ -29357,7 +29373,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. +sysnet_read_config(ipsec_mgmt_t) sysnet_domtrans_ifconfig(ipsec_mgmt_t) -+sysnet_etc_filetrans_config(ipsec_t) ++sysnet_etc_filetrans_config(ipsec_mgmt_t) userdom_use_user_terminals(ipsec_mgmt_t) @@ -32809,7 +32825,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +HOME_DIR/\.gvfs(/.*)? <> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.19/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2010-03-03 23:26:37.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2010-04-23 11:49:25.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2010-04-27 08:35:15.000000000 -0400 @@ -30,8 +30,9 @@ ') @@ -34324,7 +34340,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_search_proc($1) ') -@@ -3111,3 +3412,682 @@ +@@ -3111,3 +3412,664 @@ allow $1 userdomain:dbus send_msg; ') @@ -34510,24 +34526,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + +######################################## +## -+## Add attrinute admin domain -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_admin',` -+ gen_require(` -+ attribute admin_userdomain; -+ ') -+ -+ typeattribute $1 admin_userdomain; -+') -+ -+######################################## -+## +## Send a message to unpriv users over a unix domain +## datagram socket. +## diff --git a/selinux-policy.spec b/selinux-policy.spec index 80c4810..e179eb2 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.19 -Release: 6%{?dist} +Release: 7%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -466,6 +466,10 @@ exit 0 %endif %changelog +* Tue Apr 27 2010 Dan Walsh 3.7.19-7 +- Allow sandbox_xserver to connectto unconfined stream +Resolves: #585171 + * Mon Apr 26 2010 Dan Walsh 3.7.19-6 - Allow initrc_t to read slapd_db_t Resolves: #585476