From 86205103d74595116837ae442b196c570a607469 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mar 06 2008 21:55:53 +0000 Subject: - Fix openoffice policy to allow it to run from firefox on xguest --- diff --git a/policy-20070703.patch b/policy-20070703.patch index b10ac8d..b091d97 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -3043,7 +3043,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.0.8/policy/modules/apps/java.fc --- nsaserefpolicy/policy/modules/apps/java.fc 2007-10-22 13:21:41.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/apps/java.fc 2008-02-06 09:05:24.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/apps/java.fc 2008-03-06 11:18:15.000000000 -0500 @@ -11,6 +11,7 @@ # /usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0) @@ -3052,7 +3052,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc /usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0) -@@ -20,5 +21,11 @@ +@@ -20,5 +21,13 @@ /usr/bin/grmic -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/grmiregistry -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0) @@ -3064,11 +3064,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc +/opt/matlab(/.*)?/bin(/.*)?/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) + -+/usr/lib(64)?/openoffice\.org/program/soffice\.bin -- gen_context(system_u:object_r:java_exec_t,s0) ++/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:java_exec_t,s0) ++/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:java_exec_t,s0) ++ +/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.0.8/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/apps/java.if 2008-01-28 10:57:36.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/apps/java.if 2008-03-06 11:16:06.000000000 -0500 @@ -32,7 +32,7 @@ ## ## @@ -3095,16 +3097,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if allow $1_javaplugin_t $2:unix_stream_socket connectto; allow $1_javaplugin_t $2:unix_stream_socket { read write }; userdom_write_user_tmp_sockets($1,$1_javaplugin_t) -@@ -81,8 +84,7 @@ +@@ -69,6 +72,7 @@ + manage_dirs_pattern($1_javaplugin_t,$1_javaplugin_tmp_t,$1_javaplugin_tmp_t) + manage_files_pattern($1_javaplugin_t,$1_javaplugin_tmp_t,$1_javaplugin_tmp_t) + files_tmp_filetrans($1_javaplugin_t,$1_javaplugin_tmp_t,{ file dir }) ++ allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute; + + manage_files_pattern($1_javaplugin_t,$1_javaplugin_tmpfs_t,$1_javaplugin_tmpfs_t) + manage_lnk_files_pattern($1_javaplugin_t,$1_javaplugin_tmpfs_t,$1_javaplugin_tmpfs_t) +@@ -81,9 +85,7 @@ can_exec($1_javaplugin_t, java_exec_t) - # The user role is authorized for this domain. - domain_auto_trans($1_t, java_exec_t, $1_javaplugin_t) -+ domain_auto_trans($2, java_exec_t, $1_javaplugin_t) - allow $1_javaplugin_t $2:fd use; +- allow $1_javaplugin_t $2:fd use; ++ domtrans_pattern($2, java_exec_t, $1_javaplugin_t) # Unrestricted inheritance from the caller. allow $2 $1_javaplugin_t:process { noatsecure siginh rlimitinh }; + allow $1_javaplugin_t $2:process signull; @@ -94,7 +96,7 @@ kernel_read_system_state($1_javaplugin_t) @@ -3148,7 +3159,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if userdom_dontaudit_use_user_terminals($1,$1_javaplugin_t) userdom_dontaudit_setattr_user_home_content_files($1,$1_javaplugin_t) userdom_dontaudit_exec_user_home_content_files($1,$1_javaplugin_t) -@@ -166,6 +177,62 @@ +@@ -147,8 +158,6 @@ + tunable_policy(`allow_java_execstack',` + allow $1_javaplugin_t self:process execstack; + +- allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute; +- + libs_legacy_use_shared_libs($1_javaplugin_t) + libs_legacy_use_ld_so($1_javaplugin_t) + +@@ -166,6 +175,62 @@ optional_policy(` xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t) ') @@ -3211,7 +3231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if ') ######################################## -@@ -219,3 +286,66 @@ +@@ -219,3 +284,66 @@ corecmd_search_bin($1) domtrans_pattern($1, java_exec_t, java_t) ') @@ -4136,7 +4156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc 2008-02-19 09:59:23.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc 2008-03-06 10:57:37.000000000 -0500 @@ -7,6 +7,7 @@ /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) @@ -4211,7 +4231,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco ifdef(`distro_gentoo', ` /usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -259,3 +270,23 @@ +@@ -188,6 +199,7 @@ + + ifdef(`distro_redhat', ` + /usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib/vmware-tools/sbin32(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) +@@ -259,3 +271,23 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -5525,7 +5553,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.8/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2008-02-26 17:48:01.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2008-03-06 10:50:53.000000000 -0500 @@ -271,45 +271,6 @@ ######################################## @@ -5756,7 +5784,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy interface(`fs_dontaudit_read_ramfs_files',` gen_require(` type ramfs_t; -@@ -3206,6 +3305,7 @@ +@@ -2885,6 +2984,7 @@ + type tmpfs_t; + ') + ++ dontaudit $1 tmpfs_t:dir rw_dir_perms; + dontaudit $1 tmpfs_t:file rw_file_perms; + ') + +@@ -3206,6 +3306,7 @@ ') allow $1 filesystem_type:filesystem getattr; @@ -5764,7 +5800,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ') ######################################## -@@ -3322,6 +3422,24 @@ +@@ -3322,6 +3423,24 @@ ######################################## ## @@ -5789,7 +5825,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## List all directories with a filesystem type. ## ## -@@ -3533,3 +3651,62 @@ +@@ -3533,3 +3652,62 @@ relabelfrom_blk_files_pattern($1,noxattrfs,noxattrfs) relabelfrom_chr_files_pattern($1,noxattrfs,noxattrfs) ') @@ -10140,7 +10176,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail +/var/run/fail2ban\.sock -s gen_context(system_u:object_r:fail2ban_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.0.8/policy/modules/services/fail2ban.te --- nsaserefpolicy/policy/modules/services/fail2ban.te 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/fail2ban.te 2008-03-04 16:29:48.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/fail2ban.te 2008-03-06 16:54:33.000000000 -0500 @@ -1,5 +1,5 @@ -policy_module(fail2ban,1.0.0) @@ -10159,7 +10195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail kernel_read_system_state(fail2ban_t) -@@ -47,14 +48,20 @@ +@@ -47,14 +48,23 @@ files_read_etc_files(fail2ban_t) files_read_usr_files(fail2ban_t) @@ -10167,6 +10203,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail +files_search_var_lib(fail2ban_t) + +fs_list_inotifyfs(fail2ban_t) ++ ++auth_use_nsswitch(fail2ban_t) ++corenet_tcp_connect_whois_port(fail2ban_t) libs_use_ld_so(fail2ban_t) libs_use_shared_libs(fail2ban_t) @@ -10181,6 +10220,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail optional_policy(` apache_read_log(fail2ban_t) ') +@@ -64,5 +74,11 @@ + ') + + optional_policy(` ++ gamin_domtrans(fail2ban_t) ++ gamin_stream_connect(fail2ban_t) ++') ++ ++optional_policy(` + iptables_domtrans(fail2ban_t) + ') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.0.8/policy/modules/services/fetchmail.te --- nsaserefpolicy/policy/modules/services/fetchmail.te 2007-10-22 13:21:39.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/fetchmail.te 2008-01-17 09:03:07.000000000 -0500 @@ -10289,6 +10340,97 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. ') optional_policy(` +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.fc serefpolicy-3.0.8/policy/modules/services/gamin.fc +--- nsaserefpolicy/policy/modules/services/gamin.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/gamin.fc 2008-03-06 16:51:35.000000000 -0500 +@@ -0,0 +1,2 @@ ++ ++/usr/libexec/gam_server -- gen_context(system_u:object_r:gamin_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.if serefpolicy-3.0.8/policy/modules/services/gamin.if +--- nsaserefpolicy/policy/modules/services/gamin.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/gamin.if 2008-03-06 16:51:35.000000000 -0500 +@@ -0,0 +1,39 @@ ++ ++## policy for gamin ++ ++######################################## ++## ++## Execute a domain transition to run gamin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`gamin_domtrans',` ++ gen_require(` ++ type gamin_t; ++ type gamin_exec_t; ++ ') ++ ++ domtrans_pattern($1,gamin_exec_t,gamin_t) ++') ++ ++######################################## ++## ++## Connect to gamin over an unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gamin_stream_connect',` ++ gen_require(` ++ type gamin_t; ++ ') ++ ++ allow $1 gamin_t:unix_stream_socket connectto; ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.te serefpolicy-3.0.8/policy/modules/services/gamin.te +--- nsaserefpolicy/policy/modules/services/gamin.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/gamin.te 2008-03-06 16:51:35.000000000 -0500 +@@ -0,0 +1,38 @@ ++policy_module(gamin,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type gamin_t; ++type gamin_exec_t; ++init_daemon_domain(gamin_t, gamin_exec_t) ++ ++######################################## ++# ++# gamin local policy ++# ++ ++# Init script handling ++domain_use_interactive_fds(gamin_t) ++ ++# internal communication is often done using fifo and unix sockets. ++allow gamin_t self:fifo_file rw_file_perms; ++allow gamin_t self:unix_stream_socket create_stream_socket_perms; ++ ++files_read_etc_files(gamin_t) ++files_read_etc_runtime_files(gamin_t) ++files_list_all(gamin_t) ++files_getattr_all_files(gamin_t) ++ ++fs_list_inotifyfs(gamin_t) ++domain_read_all_domains_state(gamin_t) ++ ++libs_use_ld_so(gamin_t) ++libs_use_shared_libs(gamin_t) ++ ++miscfiles_read_localization(gamin_t) ++ ++role unconfined_r types gamin_t; ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.0.8/policy/modules/services/hal.fc --- nsaserefpolicy/policy/modules/services/hal.fc 2007-10-22 13:21:39.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/hal.fc 2008-01-17 09:03:07.000000000 -0500 @@ -11202,7 +11344,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.0.8/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/mta.te 2008-01-31 11:46:14.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/mta.te 2008-03-06 11:57:46.000000000 -0500 @@ -1,11 +1,13 @@ -policy_module(mta,1.7.1) @@ -11291,11 +11433,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. logrotate_read_tmp_files(system_mail_t) ') -@@ -136,11 +158,33 @@ +@@ -136,11 +158,37 @@ ') optional_policy(` -+ clamav_stream_connect(sendmail_t) ++ clamav_stream_connect(system_mail_t) ++') ++ ++optional_policy(` ++ fail2ban_append_log(system_mail_t) +') + +optional_policy(` @@ -11309,7 +11455,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. -# should break this up among sections: +init_stream_connect_script(mailserver_delivery) +init_rw_script_stream_sockets(mailserver_delivery) -+ + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(mailserver_delivery) + fs_manage_cifs_files(mailserver_delivery) @@ -11321,12 +11467,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. + fs_manage_nfs_files(mailserver_delivery) + fs_manage_nfs_symlinks(mailserver_delivery) +') - ++ +# should break this up among sections: optional_policy(` # why is mail delivered to a directory of type arpwatch_data_t? arpwatch_search_data(mailserver_delivery) -@@ -154,3 +198,4 @@ +@@ -154,3 +202,4 @@ cron_read_system_job_tmp_files(mta_user_agent) ') ') @@ -19088,7 +19234,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.0.8/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/libraries.fc 2008-02-11 16:25:54.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/libraries.fc 2008-03-06 10:59:16.000000000 -0500 @@ -65,11 +65,15 @@ /opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) /opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -19166,7 +19312,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) # vmware -@@ -284,3 +299,16 @@ +@@ -284,3 +299,18 @@ /var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) @@ -19183,6 +19329,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar +/usr/lib64/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libmythavcodec-[^/]+\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/.*/program(/.*)?\.so gen_context(system_u:object_r:lib_t,s0) ++/usr/lib64/.*/program(/.*)?\.so gen_context(system_u:object_r:lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.0.8/policy/modules/system/libraries.te --- nsaserefpolicy/policy/modules/system/libraries.te 2007-10-22 13:21:39.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/system/libraries.te 2008-01-17 09:03:07.000000000 -0500 @@ -21420,14 +21568,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.0.8/policy/modules/system/unconfined.fc --- nsaserefpolicy/policy/modules/system/unconfined.fc 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/unconfined.fc 2008-03-04 10:18:00.000000000 -0500 -@@ -7,6 +7,10 @@ ++++ serefpolicy-3.0.8/policy/modules/system/unconfined.fc 2008-03-06 11:18:43.000000000 -0500 +@@ -7,6 +7,8 @@ /usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0) /usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -+/usr/lib(64)?/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) - +- /usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +/usr/bin/rhythmbox -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) diff --git a/selinux-policy.spec b/selinux-policy.spec index 69105b2..b08adc1 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.0.8 -Release: 91%{?dist} +Release: 92%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -381,6 +381,9 @@ exit 0 %endif %changelog +* Thu Mar 4 2008 Dan Walsh 3.0.8-92 +- Fix openoffice policy to allow it to run from firefox on xguest + * Tue Mar 4 2008 Dan Walsh 3.0.8-91 - Allow rpc.mountd to write to lvm_control_t chr_file