1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
From: =?UTF-8?q?Mika=20Pfl=C3=BCger?= <debian@mikapflueger.de>
Date: Sun, 4 Mar 2012 03:06:55 +0100
Subject: Add additional interfaces and a boolean switch to access unconfined
homes
---
policy/modules/system/unconfined.if | 80 +++++++++++++++++++++++++++++++++++
policy/modules/system/unconfined.te | 9 ++++
2 files changed, 89 insertions(+), 0 deletions(-)
Index: refpolicy-2.20110726/policy/modules/system/unconfined.if
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/system/unconfined.if 2012-06-21 23:34:19.842043862 +1000
+++ refpolicy-2.20110726/policy/modules/system/unconfined.if 2012-06-21 23:34:22.746068441 +1000
@@ -96,6 +96,7 @@
optional_policy(`
xserver_unconfined($1)
')
+
')
########################################
@@ -537,3 +538,82 @@
allow $1 unconfined_t:dbus acquire_svc;
')
+
+########################################
+## <summary>
+## Read files in unconfined users home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_read_home_content_files',`
+ gen_require(`
+ type unconfined_home_dir_t, unconfined_home_t;
+ ')
+
+ files_search_home($1)
+ allow $1 { unconfined_home_dir_t unconfined_home_t }:dir list_dir_perms;
+ read_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
+ read_lnk_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search the unconfined
+## users home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`unconfined_dontaudit_search_home_dirs',`
+ gen_require(`
+ type unconfined_home_dir_t;
+ ')
+
+ dontaudit $1 unconfined_home_dir_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Read unconfined users temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_read_tmp_files',`
+ gen_require(`
+ type unconfined_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 unconfined_tmp_t:dir list_dir_perms;
+ read_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
+ read_lnk_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
+')
+
+########################################
+## <summary>
+## Write unconfined users temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_write_tmp_files',`
+ gen_require(`
+ type unconfined_tmp_t;
+ ')
+
+ allow $1 unconfined_tmp_t:file { getattr write append };
+')
Index: refpolicy-2.20110726/policy/modules/system/unconfined.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/system/unconfined.te 2012-06-21 23:34:16.622016799 +1000
+++ refpolicy-2.20110726/policy/modules/system/unconfined.te 2012-06-21 23:34:22.746068441 +1000
@@ -21,6 +21,15 @@
init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
role unconfined_r types unconfined_execmem_t;
+## <desc>
+## <p>
+## Enabling this allows some daemons to access unconfined_home_dir_t and
+## unconfined_home_t as if they were regular home directories. This does
+## reduce the protection...
+## </p>
+## </desc>
+gen_bool(daemon_access_unconfined_home,true)
+
########################################
#
# Local policy
|
