1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125
|
From: =?UTF-8?q?Mika=20Pfl=C3=BCger?= <debian@mikapflueger.de>
Date: Sun, 4 Mar 2012 03:06:55 +0100
Subject: Add additional interfaces and a boolean switch to access unconfined
homes
---
policy/modules/system/unconfined.if | 80 +++++++++++++++++++++++++++++++++++
policy/modules/system/unconfined.te | 9 ++++
2 files changed, 89 insertions(+), 0 deletions(-)
Index: refpolicy-2.20110726/policy/modules/system/unconfined.if
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/system/unconfined.if 2012-06-21 23:34:19.842043862 +1000
+++ refpolicy-2.20110726/policy/modules/system/unconfined.if 2012-06-21 23:34:22.746068441 +1000
@@ -96,6 +96,7 @@
optional_policy(`
xserver_unconfined($1)
')
+
')
########################################
@@ -537,3 +538,82 @@
allow $1 unconfined_t:dbus acquire_svc;
')
+
+########################################
+## <summary>
+## Read files in unconfined users home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_read_home_content_files',`
+ gen_require(`
+ type unconfined_home_dir_t, unconfined_home_t;
+ ')
+
+ files_search_home($1)
+ allow $1 { unconfined_home_dir_t unconfined_home_t }:dir list_dir_perms;
+ read_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
+ read_lnk_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search the unconfined
+## users home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`unconfined_dontaudit_search_home_dirs',`
+ gen_require(`
+ type unconfined_home_dir_t;
+ ')
+
+ dontaudit $1 unconfined_home_dir_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Read unconfined users temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_read_tmp_files',`
+ gen_require(`
+ type unconfined_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 unconfined_tmp_t:dir list_dir_perms;
+ read_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
+ read_lnk_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
+')
+
+########################################
+## <summary>
+## Write unconfined users temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_write_tmp_files',`
+ gen_require(`
+ type unconfined_tmp_t;
+ ')
+
+ allow $1 unconfined_tmp_t:file { getattr write append };
+')
Index: refpolicy-2.20110726/policy/modules/system/unconfined.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/system/unconfined.te 2012-06-21 23:34:16.622016799 +1000
+++ refpolicy-2.20110726/policy/modules/system/unconfined.te 2012-06-21 23:34:22.746068441 +1000
@@ -21,6 +21,15 @@
init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
role unconfined_r types unconfined_execmem_t;
+## <desc>
+## <p>
+## Enabling this allows some daemons to access unconfined_home_dir_t and
+## unconfined_home_t as if they were regular home directories. This does
+## reduce the protection...
+## </p>
+## </desc>
+gen_bool(daemon_access_unconfined_home,true)
+
########################################
#
# Local policy
|