Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Adding patches for base policy

  • Loading branch information...
commit b1899e7c0985e66922c4f4465d5c06dddb63c160 1 parent 5bfe751
@sjvermeu authored
View
7 selinux-modules/patches/0040-gorg-introduce_gorg_domain-r8.patch
@@ -1,14 +1,11 @@
--- refpolicy/policy/modules/services/gorg.te 1970-01-01 01:00:00.000000000 +0100
-+++ refpolicy/policy/modules/services/gorg.te 2011-12-06 10:22:57.352020520 +0100
-@@ -0,0 +1,65 @@
++++ refpolicy/policy/modules/services/gorg.te 2011-12-06 11:27:02.279028727 +0100
+@@ -0,0 +1,62 @@
+policy_module(gorg, 1.0.0)
+
+type gorg_t;
+type gorg_exec_t;
-+typealias gorg_t alias { staff_gorg_t user_gorg_t };
+application_domain(gorg_t, gorg_exec_t)
-+role staff_r types gorg_t;
-+role user_r types gorg_t;
+
+type gorg_cache_t;
+files_type(gorg_cache_t);
View
48 selinux-modules/patches/0060-mutt-update_xdg_calls-r8.patch
@@ -0,0 +1,48 @@
+--- refpolicy/policy/modules/apps/mutt.te 2011-12-09 20:15:50.042001485 +0100
++++ refpolicy/policy/modules/apps/mutt.te 2011-12-09 19:05:52.690642348 +0100
+@@ -37,7 +37,6 @@
+
+ allow mutt_t self:process signal_perms;
+ allow mutt_t self:fifo_file rw_fifo_file_perms;
+-# TODO dgrift has self:unix_stream_socket create_socket_perms; here too?
+
+ manage_dirs_pattern(mutt_t, mutt_home_t, mutt_home_t)
+ manage_files_pattern(mutt_t, mutt_home_t, mutt_home_t)
+@@ -45,8 +44,6 @@
+
+ manage_dirs_pattern(mutt_t, mutt_tmp_t, mutt_tmp_t)
+ manage_files_pattern(mutt_t, mutt_tmp_t, mutt_tmp_t)
+-# TODO check if this is needed - where are these fifos created as mutt_tmp_t ? There is no filetrans defined for it.
+-#manage_fifo_files_pattern(mutt_t, mutt_tmp_t, mutt_tmp_t)
+ files_tmp_filetrans(mutt_t, mutt_tmp_t, { file dir })
+
+ read_files_pattern(mutt_t, mutt_etc_t, mutt_etc_t)
+@@ -54,7 +51,6 @@
+ read_files_pattern(mutt_t, mutt_conf_t, mutt_conf_t)
+
+
+-# TODO dgrift has kernel_read_crypto_sysctls(mutt_t)
+ kernel_read_system_state(mutt_t)
+
+ corecmd_exec_bin(mutt_t)
+@@ -84,8 +80,6 @@
+
+ miscfiles_read_localization(mutt_t)
+
+-userdom_manage_xdg_cache_home(mutt_t)
+-userdom_read_xdg_config_home(mutt_t)
+ userdom_search_user_home_content(mutt_t)
+ userdom_use_user_terminals(mutt_t)
+
+@@ -93,6 +87,11 @@
+ gpg_domtrans(mutt_t)
+ ')
+
++optional_policy(`
++ xdg_manage_generic_cache_home_content(mutt_t)
++ xdg_read_generic_config_home_files(mutt_t)
++')
++
+ tunable_policy(`mutt_manage_user_content',`
+ # Needed for handling attachments
+ userdom_manage_user_home_content_files(mutt_t)
View
624 selinux-modules/patches/0060-xdg-introduce_xdg_types-r8.patch
@@ -0,0 +1,624 @@
+--- refpolicy/policy/modules/system/xdg.te 1970-01-01 01:00:00.000000000 +0100
++++ refpolicy/policy/modules/system/xdg.te 2011-10-09 14:56:19.041569997 +0200
+@@ -0,0 +1,26 @@
++policy_module(xdg, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++attribute xdg_data_home_type;
++
++attribute xdg_config_home_type;
++
++attribute xdg_cache_home_type;
++
++attribute xdg_runtime_home_type;
++
++type xdg_data_home_t;
++xdg_data_home_content(xdg_data_home_t)
++
++type xdg_config_home_t;
++xdg_config_home_content(xdg_config_home_t)
++
++type xdg_cache_home_t;
++xdg_cache_home_content(xdg_cache_home_t)
++
++type xdg_runtime_home_t;
++xdg_runtime_home_content(xdg_runtime_home_t)
+--- refpolicy/policy/modules/system/xdg.if 1970-01-01 01:00:00.000000000 +0100
++++ refpolicy/policy/modules/system/xdg.if 2011-12-09 22:24:14.463017929 +0100
+@@ -0,0 +1,581 @@
++## <summary>Policy for xdg desktop standard</summary>
++
++########################################
++## <summary>
++## Mark the selected type as an xdg_data_home_type
++## </summary>
++## <param name="type">
++## <summary>
++## Type to give the xdg_data_home_type attribute to
++## </summary>
++## </param>
++#
++interface(`xdg_data_home_content',`
++ gen_require(`
++ attribute xdg_data_home_type;
++ ')
++
++ typeattribute $1 xdg_data_home_type;
++
++ userdom_user_home_content($1)
++')
++
++########################################
++## <summary>
++## Create objects in an xdg_data_home directory
++## with an automatic type transition to
++## a specified private type.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="private_type">
++## <summary>
++## The type of the object to create.
++## </summary>
++## </param>
++## <param name="object_class">
++## <summary>
++## The class of the object to be created.
++## </summary>
++## </param>
++#
++interface(`xdg_data_home_spec_filetrans',`
++ gen_require(`
++ type xdg_data_home_t;
++ ')
++
++ filetrans_pattern($1, xdg_data_home_t, $2, $3)
++
++ userdom_search_user_home_dirs($1)
++')
++
++# TODO Introduce xdg_data_home_filetrans when named file transitions are supported
++# to support a filetrans from user_home_dir_t to xdg_data_home_t (~/.local)
++
++########################################
++## <summary>
++## Mark the selected type as an xdg_cache_home_type
++## </summary>
++## <param name="type">
++## <summary>
++## Type to give the xdg_cache_home_type attribute to
++## </summary>
++## </param>
++#
++interface(`xdg_cache_home_content',`
++ gen_require(`
++ attribute xdg_cache_home_type;
++ ')
++
++ typeattribute $1 xdg_cache_home_type;
++
++ userdom_user_home_content($1)
++')
++
++########################################
++## <summary>
++## Create objects in an xdg_cache_home directory
++## with an automatic type transition to
++## a specified private type.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="private_type">
++## <summary>
++## The type of the object to create.
++## </summary>
++## </param>
++## <param name="object_class">
++## <summary>
++## The class of the object to be created.
++## </summary>
++## </param>
++#
++interface(`xdg_cache_home_spec_filetrans',`
++ gen_require(`
++ type xdg_cache_home_t;
++ ')
++
++ filetrans_pattern($1, xdg_cache_home_t, $2, $3)
++
++ userdom_search_user_home_dirs($1)
++')
++
++# TODO Introduce xdg_cache_home_filetrans when named file transitions are supported
++# to support a filetrans from user_home_dir_t to xdg_cache_home_t (~/.cache)
++
++########################################
++## <summary>
++## Mark the selected type as an xdg_config_home_type
++## </summary>
++## <param name="type">
++## <summary>
++## Type to give the xdg_config_home_type attribute to
++## </summary>
++## </param>
++#
++interface(`xdg_config_home_content',`
++ gen_require(`
++ attribute xdg_config_home_type;
++ ')
++
++ typeattribute $1 xdg_config_home_type;
++
++ userdom_user_home_content($1)
++')
++
++########################################
++## <summary>
++## Create objects in an xdg_config_home directory
++## with an automatic type transition to
++## a specified private type.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="private_type">
++## <summary>
++## The type of the object to create.
++## </summary>
++## </param>
++## <param name="object_class">
++## <summary>
++## The class of the object to be created.
++## </summary>
++## </param>
++#
++interface(`xdg_config_home_spec_filetrans',`
++ gen_require(`
++ type xdg_config_home_t;
++ ')
++
++ filetrans_pattern($1, xdg_config_home_t, $2, $3)
++
++ userdom_search_user_home_dirs($1)
++')
++
++# TODO Introduce xdg_config_home_filetrans when named file transitions are supported
++# to support a filetrans from user_home_dir_t to xdg_config_home_t (~/.config)
++
++#
++########################################
++## <summary>
++## Mark the selected type as an xdg_runtime_home_type
++## </summary>
++## <param name="type">
++## <summary>
++## Type to give the xdg_runtime_home_type attribute to
++## </summary>
++## </param>
++#
++interface(`xdg_runtime_home_content',`
++ gen_require(`
++ attribute xdg_runtime_home_type;
++ ')
++
++ typeattribute $1 xdg_runtime_home_type;
++
++ userdom_user_home_content($1)
++')
++
++########################################
++## <summary>
++## Create objects in an xdg_runtime_home directory
++## with an automatic type transition to
++## a specified private type.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="private_type">
++## <summary>
++## The type of the object to create.
++## </summary>
++## </param>
++## <param name="object_class">
++## <summary>
++## The class of the object to be created.
++## </summary>
++## </param>
++#
++interface(`xdg_runtime_home_spec_filetrans',`
++ gen_require(`
++ type xdg_runtime_home_t;
++ ')
++
++ filetrans_pattern($1, xdg_runtime_home_t, $2, $3)
++
++ files_search_pids($1)
++')
++
++# TODO Introduce xdg_runtime_home_filetrans (if applicable) when named file transitions are supported
++# to support a filetrans from whatever /run/user is to xdg_config_home_t
++
++########################################
++## <summary>
++## Read the xdg cache home files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xdg_read_generic_cache_home_files',`
++ gen_require(`
++ type xdg_cache_home_t;
++ ')
++
++ read_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
++ list_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
++
++ userdom_search_user_home_dirs($1)
++')
++
++########################################
++## <summary>
++## Read all xdg_cache_home_type files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xdg_read_all_cache_home_files',`
++ gen_require(`
++ attribute xdg_cache_home_type;
++ ')
++
++ read_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type)
++
++ userdom_search_user_home_dirs($1)
++')
++
++########################################
++## <summary>
++## Allow relabeling the xdg cache home files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xdg_relabel_generic_cache_home_content',`
++ gen_require(`
++ type xdg_cache_home_t;
++ ')
++
++ relabel_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
++ relabel_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
++ relabel_lnk_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
++ relabel_fifo_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
++ relabel_sock_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
++
++ userdom_search_user_home_dirs($1)
++')
++
++
++########################################
++## <summary>
++## Manage the xdg cache home files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xdg_manage_generic_cache_home_content',`
++ gen_require(`
++ type xdg_cache_home_t;
++ ')
++
++ manage_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
++ manage_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
++ manage_lnk_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
++ manage_fifo_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
++ manage_sock_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
++
++ userdom_search_user_home_dirs($1)
++')
++
++########################################
++## <summary>
++## Read the xdg config home files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xdg_read_generic_config_home_files',`
++ gen_require(`
++ type xdg_config_home_t;
++ ')
++
++ read_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
++ list_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t)
++
++ userdom_search_user_home_dirs($1)
++')
++
++########################################
++## <summary>
++## Read all xdg_config_home_type files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xdg_read_all_config_home_files',`
++ gen_require(`
++ attribute xdg_config_home_type;
++ ')
++
++ read_files_pattern($1, xdg_config_home_type, xdg_config_home_type)
++
++ userdom_search_user_home_dirs($1)
++')
++
++########################################
++## <summary>
++## Allow relabeling the xdg config home files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xdg_relabel_generic_config_home_content',`
++ gen_require(`
++ type xdg_config_home_t;
++ ')
++
++ relabel_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t)
++ relabel_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
++ relabel_lnk_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
++ relabel_fifo_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
++ relabel_sock_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
++
++ userdom_search_user_home_dirs($1)
++')
++
++
++########################################
++## <summary>
++## Manage the xdg config home files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xdg_manage_generic_config_home_content',`
++ gen_require(`
++ type xdg_config_home_t;
++ ')
++
++ manage_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t)
++ manage_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
++ manage_lnk_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
++ manage_fifo_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
++ manage_sock_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
++
++ userdom_search_user_home_dirs($1)
++')
++
++########################################
++## <summary>
++## Read the xdg data home files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xdg_read_generic_data_home_files',`
++ gen_require(`
++ type xdg_data_home_t;
++ ')
++
++ read_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
++ list_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t)
++
++ userdom_search_user_home_dirs($1)
++')
++
++########################################
++## <summary>
++## Read all xdg_data_home_type files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xdg_read_all_data_home_files',`
++ gen_require(`
++ attribute xdg_data_home_type;
++ ')
++
++ read_files_pattern($1, xdg_data_home_type, xdg_data_home_type)
++
++ userdom_search_user_home_dirs($1)
++')
++
++########################################
++## <summary>
++## Allow relabeling the xdg data home files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xdg_relabel_generic_data_home_content',`
++ gen_require(`
++ type xdg_data_home_t;
++ ')
++
++ relabel_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t)
++ relabel_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
++ relabel_lnk_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
++ relabel_fifo_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
++ relabel_sock_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
++
++ userdom_search_user_home_dirs($1)
++')
++
++########################################
++## <summary>
++## Manage the xdg data home files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xdg_manage_generic_data_home_content',`
++ gen_require(`
++ type xdg_data_home_t;
++ ')
++
++ manage_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t)
++ manage_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
++ manage_lnk_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
++ manage_fifo_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
++ manage_sock_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
++
++ userdom_search_user_home_dirs($1)
++')
++
++########################################
++## <summary>
++## Read the xdg runtime home files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xdg_read_generic_runtime_home_files',`
++ gen_require(`
++ type xdg_runtime_home_t;
++ ')
++
++ read_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
++ list_dirs_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
++
++ files_search_pids($1)
++')
++
++########################################
++## <summary>
++## Read all xdg_runtime_home_type files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xdg_read_all_runtime_home_files',`
++ gen_require(`
++ attribute xdg_runtime_home_type;
++ ')
++
++ read_files_pattern($1, xdg_runtime_home_type, xdg_runtime_home_type)
++
++ files_search_pids($1)
++')
++
++########################################
++## <summary>
++## Allow relabeling the xdg runtime home files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xdg_relabel_generic_runtime_home_content',`
++ gen_require(`
++ type xdg_runtime_home_t;
++ ')
++
++ relabel_dirs_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
++ relabel_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
++ relabel_lnk_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
++ relabel_fifo_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
++ relabel_sock_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
++
++ files_search_pids($1)
++')
++
++########################################
++## <summary>
++## Manage the xdg runtime home files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xdg_manage_generic_runtime_home_content',`
++ gen_require(`
++ type xdg_runtime_home_t;
++ ')
++
++ manage_dirs_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
++ manage_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
++ manage_lnk_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
++ manage_fifo_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
++ manage_sock_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
++
++ files_search_pids($1)
++')
++
+--- refpolicy/policy/modules/system/xdg.fc 1970-01-01 01:00:00.000000000 +0100
++++ refpolicy/policy/modules/system/xdg.fc 2011-10-09 14:32:14.591569999 +0200
+@@ -0,0 +1,8 @@
++HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:xdg_cache_home_t,s0)
++HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:xdg_config_home_t,s0)
++HOME_DIR/\.local(/.*)? gen_context(system_u:object_r:xdg_data_home_t,s0)
++
++#
++# /run
++#
++/run/user/USER(/.*)? gen_context(system_u:object_r:xdg_runtime_home_t,s0)
View
14 selinux-modules/patches/0075-mozilla-allow_plugin_to_read_config_files-r8.patch
@@ -1,6 +1,14 @@
---- refpolicy/policy/modules/apps/mozilla.te 2011-12-04 20:58:19.522393825 +0100
-+++ refpolicy/policy/modules/apps/mozilla.te 2011-12-04 20:57:41.065393743 +0100
-@@ -468,6 +468,10 @@
+--- refpolicy/policy/modules/apps/mozilla.te 2011-12-10 14:08:53.076035608 +0100
++++ refpolicy/policy/modules/apps/mozilla.te 2011-12-10 14:08:20.634035540 +0100
+@@ -300,6 +300,7 @@
+ ')
+
+ optional_policy(`
++ xdg_read_generic_config_home_files(mozilla_t)
+ xdg_read_generic_data_home_files(mozilla_t)
+ ')
+
+@@ -468,6 +469,10 @@
')
optional_policy(`
View
6 selinux-modules/patches/0076-xserver-support_contexts_for_lxdm_and_slim-r8.patch
@@ -1,10 +1,10 @@
---- refpolicy/policy/modules/services/xserver.fc 2011-12-06 10:04:51.794018203 +0100
-+++ refpolicy/policy/modules/services/xserver.fc 2011-12-06 10:04:12.975018120 +0100
+--- refpolicy/policy/modules/services/xserver.fc 2011-12-06 11:26:03.418028601 +0100
++++ refpolicy/policy/modules/services/xserver.fc 2011-12-06 11:25:34.849028540 +0100
@@ -60,9 +60,11 @@
#
/usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
-+/usr/(s)?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdg_exec_t,s0)
++/usr/(s)?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
View
57 ...nux-modules/patches/0077-portage-dontaudit_netlink_and_put_tryouts_in_global_def-r8.patch
@@ -0,0 +1,57 @@
+--- refpolicy/policy/modules/admin/portage.te 2011-12-10 12:23:59.311022174 +0100
++++ refpolicy/policy/modules/admin/portage.te 2011-12-10 12:23:16.472022084 +0100
+@@ -160,6 +160,8 @@
+ allow portage_t self:process { setfscreate setexec };
+ # - kill for mysql merging, at least
+ allow portage_t self:capability { sys_nice kill setfcap };
++dontaudit portage_t self:capability { dac_read_search };
++dontaudit portage_t self:netlink_route_socket rw_netlink_socket_perms;
+
+ # user post-sync scripts
+ can_exec(portage_t, portage_conf_t)
+@@ -183,10 +185,12 @@
+ allow portage_sandbox_t portage_t:fifo_file rw_file_perms;
+ allow portage_sandbox_t portage_t:process sigchld;
+ allow portage_sandbox_t self:process ptrace;
++dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms;
+
+ # run scripts out of the build directory
+ can_exec(portage_t, portage_tmp_t)
+
++kernel_dontaudit_request_load_module(portage_t)
+ # merging baselayout will need this:
+ kernel_write_proc_files(portage_t)
+
+@@ -211,16 +215,6 @@
+ # if sesandbox is disabled, compiling is performed in this domain
+ portage_compile_domain(portage_t)
+
+-tunable_policy(`gentoo_try_dontaudit',`
+- dontaudit portage_t self:capability { dac_read_search };
+- dontaudit portage_t self:netlink_route_socket { create };
+- dontaudit portage_fetch_t portage_devpts_t:chr_file { read write };
+-
+- kernel_dontaudit_request_load_module(portage_t)
+-
+- logging_dontaudit_search_logs(portage_fetch_t)
+-')
+-
+ optional_policy(`
+ bootloader_domtrans(portage_t)
+ ')
+@@ -265,6 +259,7 @@
+ allow portage_fetch_t portage_conf_t:dir list_dir_perms;
+ allow portage_fetch_t portage_gpg_t:dir rw_dir_perms;
+ allow portage_fetch_t portage_gpg_t:file manage_file_perms;
++dontaudit portage_fetch_t portage_devpts_t:chr_file { read write };
+
+ read_files_pattern(portage_fetch_t, portage_conf_t, portage_conf_t)
+
+@@ -309,6 +304,7 @@
+ files_dontaudit_search_pids(portage_fetch_t)
+
+ logging_list_logs(portage_fetch_t)
++logging_dontaudit_search_logs(portage_fetch_t)
+
+ term_search_ptys(portage_fetch_t)
+
View
11 selinux-modules/patches/0078-portage-mark_portage_ebuild_t_as_mountpoint-r8.patch
@@ -0,0 +1,11 @@
+--- refpolicy/policy/modules/admin/portage.te 2011-12-06 17:47:52.661077500 +0100
++++ refpolicy/policy/modules/admin/portage.te 2011-12-06 17:47:27.068077445 +0100
+@@ -59,7 +59,7 @@
+ term_pty(portage_devpts_t)
+
+ type portage_ebuild_t;
+-files_type(portage_ebuild_t)
++files_mountpoint(portage_ebuild_t)
+
+ type portage_fetch_tmp_t;
+ files_tmp_file(portage_fetch_tmp_t)
View
10 selinux-modules/patches/0079-fail2ban-dontaudit_write_to_usr_dirs-r8.patch
@@ -0,0 +1,10 @@
+--- refpolicy/policy/modules/services/fail2ban.te 2011-03-28 17:05:14.000000000 +0200
++++ refpolicy/policy/modules/services/fail2ban.te 2011-12-10 16:49:38.405056195 +0100
+@@ -72,6 +72,7 @@
+ files_read_usr_files(fail2ban_t)
+ files_list_var(fail2ban_t)
+ files_search_var_lib(fail2ban_t)
++files_dontaudit_write_usr_dirs(fail2ban_t)
+
+ fs_list_inotifyfs(fail2ban_t)
+ fs_getattr_all_fs(fail2ban_t)
View
13 selinux-modules/patches/0079-init-allow_initrc_to_stream_connect_to_fail2ban_socket-r8.patch
@@ -0,0 +1,13 @@
+--- refpolicy/policy/modules/system/init.te 2011-12-10 15:28:21.238045786 +0100
++++ refpolicy/policy/modules/system/init.te 2011-12-10 15:25:47.542045458 +0100
+@@ -650,6 +650,10 @@
+ ')
+
+ optional_policy(`
++ fail2ban_stream_connect(initrc_t)
++')
++
++optional_policy(`
+ ftp_read_config(initrc_t)
+ ')
+
View
10 selinux-modules/patches/0079-init-dontaudit_write_to_usr_dirs-r8.patch
@@ -0,0 +1,10 @@
+--- refpolicy/policy/modules/system/init.te 2011-12-10 15:48:31.020048368 +0100
++++ refpolicy/policy/modules/system/init.te 2011-12-10 15:47:40.625048261 +0100
+@@ -274,6 +274,7 @@
+ kernel_dontaudit_getattr_message_if(initrc_t)
+
+ files_read_kernel_symbol_table(initrc_t)
++files_dontaudit_write_usr_dirs(initrc_t)
+
+ corecmd_exec_all_executables(initrc_t)
+
View
22 selinux-modules/patches/0080-telnet-mark_remotelogin_domtrans_as_optional_policy-r8.patch
@@ -0,0 +1,22 @@
+--- refpolicy/policy/modules/services/telnet.te 2011-03-28 17:05:15.000000000 +0200
++++ refpolicy/policy/modules/services/telnet.te 2011-12-11 12:53:09.566210326 +0100
+@@ -81,8 +81,6 @@
+
+ seutil_read_config(telnetd_t)
+
+-remotelogin_domtrans(telnetd_t)
+-
+ userdom_search_user_home_dirs(telnetd_t)
+ userdom_setattr_user_ptys(telnetd_t)
+
+@@ -91,6 +89,10 @@
+ kerberos_manage_host_rcache(telnetd_t)
+ ')
+
++optional_policy(`
++ remotelogin_domtrans(telnetd_t)
++')
++
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_search_nfs(telnetd_t)
+ ')
View
5 selinux-modules/patches/README
@@ -87,8 +87,11 @@ not yet approved).
0073 . dhcpd can use ldap as a backend
0074 . inetd should also be allowed to bind/listen on pop port
0075 - allow mozilla plugin to read its configuration files ($$$TODO currently still generic)
-0076 - support slim and lxdm contexts
+0076 . support slim and lxdm contexts
0077 - introduce dontaudit statements to clean up audit logs
+0078 - mark portage_ebuild_t as a mountpoint
+0079 - update on fail2ban (start from initrc_t), dontaudit for python scripts wanting to write .pyc files where .py files are
+0080 - mark remotelogin_domtrans call in telnet as optional (no hard dependency)
[1] Refpolicy would like to see an intermediate domain (udev_network_initrc_t or something similar) which
has the domtrans in it. In our case, this probably means that the udev "net.sh" script should use that.
View
0  ...hes/0060-xdg-introduce_xdg_types-r5.patch → ...old/0060-xdg-introduce_xdg_types-r5.patch
File renamed without changes
Please sign in to comment.
Something went wrong with that request. Please try again.