rpms/selinux-policy/FC-5 policy-20060323.patch,NONE,1.1
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Mon Apr 3 21:06:03 UTC 2006
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/FC-5
In directory cvs.devel.redhat.com:/tmp/cvs-serv11464
Added Files:
policy-20060323.patch
Log Message:
* Mon Mar 30 2006 Dan Walsh <dwalsh at redhat.com> 2.2.29-2.fc5
- Rebuild for FC5
policy-20060323.patch:
admin/rpm.te | 1 +
apps/mono.if | 23 +++++++++++++++++++++++
apps/mono.te | 1 +
kernel/devices.fc | 1 +
kernel/devices.if | 40 ++++++++++++++++++++++++++++++++++++++++
kernel/files.if | 15 +++++++++++++++
kernel/mls.te | 1 +
services/apache.if | 20 ++++++++++++++++++++
services/automount.te | 1 +
services/avahi.te | 4 ++++
services/bluetooth.te | 7 +++++--
services/dbus.te | 1 +
services/hal.te | 12 +++++++++++-
services/networkmanager.te | 1 +
services/nscd.if | 20 ++++++++++++++++++++
services/samba.te | 2 ++
services/snmp.te | 1 +
services/xserver.if | 21 +++++++++++++++++++++
system/fstools.te | 1 +
system/getty.fc | 1 +
system/getty.te | 2 ++
system/init.te | 1 +
system/libraries.fc | 22 +++++++++++++++++-----
system/logging.if | 32 ++++++++++++++++++++++++++++++++
system/mount.te | 4 +++-
system/unconfined.if | 17 +++++------------
system/unconfined.te | 4 ----
system/userdomain.te | 4 ++--
28 files changed, 233 insertions(+), 27 deletions(-)
--- NEW FILE policy-20060323.patch ---
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-2.2.29/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2006-03-30 10:59:02.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/admin/rpm.te 2006-04-03 16:38:39.000000000 -0400
@@ -117,6 +117,7 @@
mls_file_read_up(rpm_t)
mls_file_write_down(rpm_t)
mls_file_upgrade(rpm_t)
+mls_file_downgrade(rpm_t)
selinux_get_fs_mount(rpm_t)
selinux_validate_context(rpm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-2.2.29/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2006-03-23 16:46:10.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/apps/mono.if 2006-04-03 10:03:24.000000000 -0400
@@ -23,3 +23,26 @@
allow mono_t $1:fifo_file rw_file_perms;
allow mono_t $1:process sigchld;
')
+
+
+########################################
+## <summary>
+## Send and receive messages from
+## mono over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mono_dbus_chat',`
+ gen_require(`
+ type mono_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 mono_t:dbus send_msg;
+ allow mono_t $1:dbus send_msg;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-2.2.29/policy/modules/apps/mono.te
--- nsaserefpolicy/policy/modules/apps/mono.te 2006-03-23 16:46:10.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/apps/mono.te 2006-04-03 12:28:33.000000000 -0400
@@ -22,3 +22,4 @@
unconfined_domain_noaudit(mono_t)
role system_r types mono_t;
')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-2.2.29/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2006-03-23 16:45:31.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/kernel/devices.fc 2006-03-31 11:49:27.000000000 -0500
@@ -59,6 +59,7 @@
')
/dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/dvb/.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/winradio. -c gen_context(system_u:object_r:v4l_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-2.2.29/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2006-03-30 10:03:20.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/kernel/devices.if 2006-04-03 11:31:23.000000000 -0400
@@ -2439,6 +2439,26 @@
########################################
## <summary>
+## Set the attributes of usbfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_usbfs',`
+ gen_require(`
+ type device_t, usbfs_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 usbfs_t:file setattr;
+')
+
+
+########################################
+## <summary>
## Associate a file to a usbfs filesystem.
## </summary>
## <param name="file_type">
@@ -2860,3 +2880,23 @@
allow $1 self:capability sys_rawio;
typeattribute $1 memory_raw_write, memory_raw_read;
')
+
+########################################
+## <summary>
+## Dontaudit getattr on all device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_all_device_nodes',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ dontaudit $1 device_t:dir_file_class_set getattr;
+ dontaudit $1 device_node:dir_file_class_set getattr;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.29/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2006-03-30 10:04:15.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/kernel/files.if 2006-03-31 11:21:52.000000000 -0500
@@ -1643,6 +1643,21 @@
')
########################################
+#
+# files_unlink_boot_flag(domain)
+#
+# /halt, /.autofsck, etc
+#
+interface(`files_unlink_boot_flag',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:file unlink;
+')
+
+
+########################################
## <summary>
## Read files in /etc that are dynamically
## created on boot, such as mtab.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.2.29/policy/modules/kernel/mls.te
--- nsaserefpolicy/policy/modules/kernel/mls.te 2006-03-23 16:45:31.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/kernel/mls.te 2006-04-03 16:29:39.000000000 -0400
@@ -60,6 +60,7 @@
ifdef(`enable_mls',`
range_transition initrc_t auditd_exec_t s15:c0.c255;
+range_transition secadm_t auditctl_exec_t s15:c0.c255;
range_transition kernel_t init_exec_t s0 - s15:c0.c255;
range_transition kernel_t lvm_exec_t s0 - s15:c0.c255;
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-2.2.29/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2006-03-24 11:09:14.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/services/apache.if 2006-04-03 13:02:08.000000000 -0400
@@ -197,6 +197,26 @@
allow httpd_$1_script_t self:lnk_file read;
')
+ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
+ corenet_tcp_connect_postgresql_port(httpd_$1_script_t)
+ corenet_tcp_connect_mysqld_port(httpd_$1_script_t)
+ allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_$1_script_t self:udp_socket create_socket_perms;
+
+ corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
+ corenet_udp_sendrecv_all_if(httpd_$1_script_t)
+ corenet_raw_sendrecv_all_if(httpd_$1_script_t)
+ corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
+ corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
+ corenet_raw_sendrecv_all_nodes(httpd_$1_script_t)
+ corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
+ corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
+ corenet_non_ipsec_sendrecv(httpd_$1_script_t)
+ corenet_tcp_bind_all_nodes(httpd_$1_script_t)
+ corenet_udp_bind_all_nodes(httpd_$1_script_t)
+ sysnet_read_config(httpd_$1_script_t)
+ ')
+
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_$1_script_t self:udp_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.2.29/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2006-03-24 11:09:13.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/services/automount.te 2006-03-31 11:21:52.000000000 -0500
@@ -123,6 +123,7 @@
logging_search_logs(automount_t)
miscfiles_read_localization(automount_t)
+miscfiles_read_certs(automount_t)
# Run mount in the mount_t domain.
mount_domtrans(automount_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-2.2.29/policy/modules/services/avahi.te
--- nsaserefpolicy/policy/modules/services/avahi.te 2006-03-24 11:09:13.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/services/avahi.te 2006-04-03 10:04:43.000000000 -0400
@@ -92,6 +92,10 @@
dbus_system_bus_client_template(avahi,avahi_t)
dbus_connect_system_bus(avahi_t)
dbus_send_system_bus(avahi_t)
+ optional_policy(`
+ mono_dbus_chat(avahi_t)
+ ')
+
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-2.2.29/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2006-03-30 10:59:02.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/services/bluetooth.te 2006-04-03 10:50:10.000000000 -0400
@@ -41,7 +41,7 @@
# Bluetooth services local policy
#
-allow bluetooth_t self:capability { net_admin net_raw sys_tty_config };
+allow bluetooth_t self:capability { net_admin net_raw sys_tty_config ipc_lock };
dontaudit bluetooth_t self:capability sys_tty_config;
allow bluetooth_t self:process { getsched signal_perms };
allow bluetooth_t self:fifo_file rw_file_perms;
@@ -178,7 +178,7 @@
allow bluetooth_helper_t bluetooth_helper_tmp_t:dir create_dir_perms;
allow bluetooth_helper_t bluetooth_helper_tmp_t:file create_file_perms;
-files_tmp_filetrans(bluetooth_helper_t, bluetooth_helper_tmp_t, { file dir })
+files_tmp_filetrans(bluetooth_helper_t, bluetooth_helper_tmp_t, { file dir sock_file })
kernel_read_system_state(bluetooth_helper_t)
kernel_read_kernel_sysctls(bluetooth_helper_t)
@@ -217,6 +217,8 @@
userdom_read_all_users_home_content_files(bluetooth_helper_t)
+ term_dontaudit_use_generic_ptys(bluetooth_helper_t)
+
optional_policy(`
xserver_stream_connect_xdm(bluetooth_helper_t)
')
@@ -226,6 +228,7 @@
dbus_system_bus_client_template(bluetooth_helper,bluetooth_helper_t)
dbus_connect_system_bus(bluetooth_helper_t)
dbus_send_system_bus(bluetooth_helper_t)
+ bluetooth_dbus_chat(bluetooth_helper_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-2.2.29/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2006-03-24 11:09:14.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/services/dbus.te 2006-03-31 11:21:52.000000000 -0500
@@ -102,6 +102,7 @@
logging_send_syslog_msg(system_dbusd_t)
miscfiles_read_localization(system_dbusd_t)
+miscfiles_read_certs(system_dbusd_t)
seutil_read_config(system_dbusd_t)
seutil_read_default_contexts(system_dbusd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.2.29/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2006-03-30 10:59:02.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/services/hal.te 2006-04-03 11:31:34.000000000 -0400
@@ -22,7 +22,7 @@
#
# execute openvt which needs setuid
-allow hald_t self:capability { setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
+allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
dontaudit hald_t self:capability sys_tty_config;
allow hald_t self:process signal_perms;
allow hald_t self:fifo_file rw_file_perms;
@@ -52,6 +52,9 @@
kernel_write_proc_files(hald_t)
files_search_boot(hald_t)
+files_getattr_home_dir(hald_t)
+
+auth_read_pam_console_data(hald_t)
corecmd_exec_bin(hald_t)
corecmd_exec_sbin(hald_t)
@@ -77,6 +80,8 @@
dev_getattr_all_chr_files(hald_t)
dev_manage_generic_chr_files(hald_t)
dev_rw_generic_usb_dev(hald_t)
+dev_setattr_generic_usb_dev(hald_t)
+dev_setattr_usbfs(hald_t)
# hal is now execing pm-suspend
dev_rw_sysfs(hald_t)
@@ -187,6 +192,11 @@
optional_policy(`
networkmanager_dbus_chat(hald_t)
')
+
+ optional_policy(`
+ mono_dbus_chat(hald_t)
+ ')
+
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-2.2.29/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2006-03-24 11:09:15.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/services/networkmanager.te 2006-04-03 12:24:37.000000000 -0400
@@ -155,6 +155,7 @@
optional_policy(`
nscd_socket_use(NetworkManager_t)
+ nscd_signal(NetworkManager_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-2.2.29/policy/modules/services/nscd.if
--- nsaserefpolicy/policy/modules/services/nscd.if 2006-03-23 16:46:11.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/services/nscd.if 2006-04-03 12:24:28.000000000 -0400
@@ -126,3 +126,23 @@
allow $1 nscd_t:nscd *;
')
+
+
+########################################
+## <summary>
+## signal NSCD
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nscd_signal',`
+ gen_require(`
+ type nscd_t;
+ ')
+
+ allow $1 nscd_t:process signal;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.2.29/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2006-03-24 11:09:15.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/services/samba.te 2006-04-03 14:24:40.000000000 -0400
@@ -105,6 +105,8 @@
allow samba_net_t samba_net_tmp_t:file create_file_perms;
files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir })
+allow smbd_t samba_net_tmp_t:file getattr;
+
allow samba_net_t samba_var_t:dir rw_dir_perms;
allow samba_net_t samba_var_t:lnk_file create_lnk_perms;
allow samba_net_t samba_var_t:file create_lnk_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-2.2.29/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te 2006-03-24 11:09:13.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/services/snmp.te 2006-04-03 13:11:33.000000000 -0400
@@ -49,6 +49,7 @@
allow snmpd_t snmpd_var_run_t:dir rw_dir_perms;
files_pid_filetrans(snmpd_t,snmpd_var_run_t,file)
+kernel_read_device_sysctls(snmpd_t)
kernel_read_kernel_sysctls(snmpd_t)
kernel_read_net_sysctls(snmpd_t)
kernel_read_proc_symlinks(snmpd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.2.29/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2006-03-30 10:16:43.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/services/xserver.if 2006-04-03 10:43:12.000000000 -0400
@@ -1015,3 +1015,24 @@
dontaudit $1 xdm_xserver_t:tcp_socket { read write };
')
+
+########################################
+## <summary>
+## Allow read and write to
+## a XDM X server socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow
+## </summary>
+## </param>
+#
+interface(`xserver_rw_xdm_sockets',`
+ gen_require(`
+ type xdm_xserver_tmp_t;
+ ')
+
+ allow $1 xdm_xserver_tmp_t:dir search;
+ allow $1 xdm_xserver_tmp_t:sock_file { read write };
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.2.29/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2006-03-30 10:59:03.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/system/fstools.te 2006-03-31 11:21:52.000000000 -0500
@@ -77,6 +77,7 @@
dev_getattr_usbfs_dirs(fsadm_t)
# Access to /dev/mapper/control
dev_rw_lvm_control(fsadm_t)
+dev_dontaudit_getattr_all_device_nodes(fsadm_t)
fs_search_auto_mountpoints(fsadm_t)
fs_getattr_xattr_fs(fsadm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.fc serefpolicy-2.2.29/policy/modules/system/getty.fc
--- nsaserefpolicy/policy/modules/system/getty.fc 2006-03-23 16:46:11.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/system/getty.fc 2006-04-03 12:51:51.000000000 -0400
@@ -6,3 +6,4 @@
/var/log/mgetty\.log.* -- gen_context(system_u:object_r:getty_log_t,s0)
/var/run/mgetty\.pid.* -- gen_context(system_u:object_r:getty_var_run_t,s0)
+/var/spool/fax -- gen_context(system_u:object_r:getty_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-2.2.29/policy/modules/system/getty.te
--- nsaserefpolicy/policy/modules/system/getty.te 2006-03-29 10:50:04.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/system/getty.te 2006-04-03 12:52:46.000000000 -0400
@@ -104,6 +104,8 @@
miscfiles_read_localization(getty_t)
+mta_send_mail(getty_t)
+
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(getty_t)
term_dontaudit_use_generic_ptys(getty_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.2.29/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2006-03-30 10:13:28.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/system/init.te 2006-03-31 11:21:52.000000000 -0500
@@ -353,6 +353,7 @@
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
+files_unlink_boot_flag(initrc_t)
libs_rw_ld_so_cache(initrc_t)
libs_use_ld_so(initrc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.29/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2006-03-30 10:18:07.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/system/libraries.fc 2006-04-03 14:29:38.000000000 -0400
@@ -33,6 +33,7 @@
#
/opt(/.*)?/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/opt(/.*)?/lib(64)?/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
+/opt/.*/jre.*/lib/i386/libdeploy.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
#
# /sbin
@@ -55,6 +56,8 @@
/usr(/.*)?/nvidia/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr(/.*)?/lib(64)?(/.*)?/nvidia/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
/usr/lib(64)?/pgsql/test/regress/.*\.so -- gen_context(system_u:object_r:shlib_t,s0)
/usr/lib/win32/.* -- gen_context(system_u:object_r:shlib_t,s0)
@@ -62,18 +65,27 @@
/usr/lib(64)?/im/.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
/usr/lib(64)?/iiim/.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
+/usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:texrel_shlib_t,s0)
+
/usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/vmware/lib(/.*)?/libgdk-x11-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
/usr/(local/)?lib/wine/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?lib/libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
-
+/usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/vmware(.*/)?/VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -92,6 +104,7 @@
/usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libglide-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/plugins/oggfformat\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/plugins/theorarend\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -170,10 +183,9 @@
# Java, Sun Microsystems (JPackage SRPM)
/usr/.*/jre.*/lib/i386/libdeploy.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr(/.*)?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:shlib_t,s0)
-/usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr(/.*)?/Reader/intellinux/plug_ins/EScript\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr(/.*)?/Reader/intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr(/.*)?/intellinux/nppdf\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
+/usr(/.*)?/intellinux/lib/\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
+/usr(/.*)?/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:texrel_shlib_t,s0)
') dnl end distro_redhat
ifdef(`distro_suse',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-2.2.29/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2006-03-23 16:46:11.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/system/logging.if 2006-03-31 11:21:52.000000000 -0500
@@ -368,3 +368,35 @@
allow $1 var_log_t:dir rw_dir_perms;
allow $1 var_log_t:file create_file_perms;
')
+
+########################################
+## <summary>
+## Execute auditctl in the auditctl domain, and
+## allow the specified role the auditctl domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the auditctl domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the auditctl domain to use.
+## </summary>
+## </param>
+#
+interface(`logging_run_auditctl',`
+ gen_require(`
+ type auditctl_t;
+ ')
+
+ logging_domtrans_auditctl($1)
+ role $2 types auditctl_t;
+ allow auditctl_t $3:chr_file rw_term_perms;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.2.29/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2006-03-30 10:59:03.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/system/mount.te 2006-03-31 15:12:44.000000000 -0500
@@ -19,7 +19,8 @@
# mount local policy
#
-allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config };
+# setuid/setgid needed to mount cifs
+allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
allow mount_t mount_tmp_t:file create_file_perms;
allow mount_t mount_tmp_t:dir create_dir_perms;
@@ -44,6 +45,7 @@
storage_raw_write_removable_device(mount_t)
fs_getattr_xattr_fs(mount_t)
+fs_getattr_cifs(mount_t)
fs_mount_all_fs(mount_t)
fs_unmount_all_fs(mount_t)
fs_remount_all_fs(mount_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.2.29/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2006-03-29 09:34:53.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/system/unconfined.if 2006-04-03 11:09:45.000000000 -0400
@@ -55,7 +55,7 @@
tunable_policy(`allow_execmem && allow_execstack',`
# Allow making the stack executable via mprotect.
allow $1 self:process execstack;
- auditallow $1 self:process execstack;
+# auditallow $1 self:process execstack;
', `
# These are fairly common but seem to be harmless
# caused by using shared libraries built with old tool chains
@@ -89,14 +89,6 @@
storage_unconfined($1)
')
- ifdef(`TODO',`
- if (allow_execmod) {
- ifdef(`targeted_policy', `', `
- # Allow text relocations on system shared libraries, e.g. libGL.
- allow $1 home_type:file execmod;
- ')
- }
- ') dnl end TODO
')
########################################
@@ -118,9 +110,10 @@
auditallow $1 self:process execheap;
')
- tunable_policy(`allow_execmem',`
- auditallow $1 self:process execmem;
- ')
+# Turn off this audit for FC5
+# tunable_policy(`allow_execmem',`
+# auditallow $1 self:process execmem;
+# ')
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.2.29/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2006-03-29 09:34:53.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/system/unconfined.te 2006-04-03 12:27:56.000000000 -0400
@@ -106,10 +106,6 @@
')
optional_policy(`
- netutils_domtrans_ping(unconfined_t)
- ')
-
- optional_policy(`
portmap_domtrans_helper(unconfined_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.29/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2006-03-28 12:58:49.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/system/userdomain.te 2006-03-31 11:21:52.000000000 -0500
@@ -179,10 +179,10 @@
mls_file_downgrade(secadm_t)
init_exec(secadm_t)
logging_read_audit_log(secadm_t)
- logging_domtrans_auditctl(secadm_t)
+ logging_run_auditctl(secadm_t,secadm_r,admin_terminal)
userdom_dontaudit_append_staff_home_content_files(secadm_t)
', `
- logging_domtrans_auditctl(sysadm_t)
+ logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal)
logging_read_audit_log(sysadm_t)
')
More information about the fedora-cvs-commits
mailing list