rpms/selinux-policy/devel booleans-targeted.conf, 1.6, 1.7 modules-targeted.conf, 1.19, 1.20 policy-20060323.patch, 1.9, 1.10 selinux-policy.spec, 1.167, 1.168

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Thu Apr 6 19:09:09 UTC 2006


Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv23371

Modified Files:
	booleans-targeted.conf modules-targeted.conf 
	policy-20060323.patch selinux-policy.spec 
Log Message:
* Mon Mar 30 2006 Dan Walsh <dwalsh at redhat.com> 2.2.29-4
- More textrel_shlib_t file path fixes
- Add ada support



Index: booleans-targeted.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/booleans-targeted.conf,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- booleans-targeted.conf	19 Feb 2006 12:17:15 -0000	1.6
+++ booleans-targeted.conf	6 Apr 2006 19:08:54 -0000	1.7
@@ -8,7 +8,7 @@
 
 # Allow making the stack executable via mprotect.Also requires allow_execmem.
 # 
-allow_execstack = true
+allow_execstack = false
 
 # Allow ftp servers to modify public filesused for public file transfer services.
 # 


Index: modules-targeted.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.19
retrieving revision 1.20
diff -u -r1.19 -r1.20
--- modules-targeted.conf	24 Mar 2006 16:44:06 -0000	1.19
+++ modules-targeted.conf	6 Apr 2006 19:08:54 -0000	1.20
@@ -1001,6 +1001,13 @@
 # 
 java = base
 
+# Layer: apps
+# Module: ada
+#
+# ada executable
+# 
+ada = base
+
 # Layer: services
 # Module: logwatch
 #

policy-20060323.patch:
 admin/rpm.te               |    1 
 apps/ada.fc                |    7 +
 apps/ada.if                |  203 +++++++++++++++++++++++++++++++++++++++++++++
 apps/ada.te                |   24 +++++
 apps/java.fc               |    1 
 apps/mono.if               |   23 +++++
 apps/mono.te               |    1 
 kernel/devices.fc          |    1 
 kernel/devices.if          |   40 ++++++++
 kernel/files.if            |   15 +++
 kernel/mls.te              |    1 
 services/apache.if         |   20 ++++
 services/automount.te      |    1 
 services/avahi.te          |    4 
 services/bluetooth.te      |    7 +
 services/cups.te           |    2 
 services/dbus.te           |    1 
 services/hal.te            |   13 ++
 services/networkmanager.te |    1 
 services/nscd.if           |   20 ++++
 services/samba.te          |    2 
 services/snmp.te           |    1 
 services/xserver.if        |   21 ++++
 system/fstools.te          |    1 
 system/getty.fc            |    1 
 system/getty.te            |    2 
 system/init.te             |    1 
 system/libraries.fc        |   26 ++++-
 system/logging.if          |   32 +++++++
 system/mount.te            |    4 
 system/unconfined.if       |   17 +--
 system/unconfined.te       |    8 -
 system/userdomain.te       |    4 
 33 files changed, 477 insertions(+), 29 deletions(-)

Index: policy-20060323.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060323.patch,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- policy-20060323.patch	4 Apr 2006 10:07:53 -0000	1.9
+++ policy-20060323.patch	6 Apr 2006 19:08:54 -0000	1.10
@@ -9,6 +9,260 @@
  
  selinux_get_fs_mount(rpm_t)
  selinux_validate_context(rpm_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ada.fc serefpolicy-2.2.29/policy/modules/apps/ada.fc
+--- nsaserefpolicy/policy/modules/apps/ada.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/apps/ada.fc	2006-04-04 06:29:46.000000000 -0400
+@@ -0,0 +1,7 @@
++#
++# /usr
++#
++/usr/libexec/gcc(/.*)?/gnat1 	--	gen_context(system_u:object_r:ada_exec_t,s0)
++/usr/bin/gnatbind	--	gen_context(system_u:object_r:ada_exec_t,s0)
++/usr/bin/gnatls		--	gen_context(system_u:object_r:ada_exec_t,s0)
++/usr/bin/gnatmake	--	gen_context(system_u:object_r:ada_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ada.if serefpolicy-2.2.29/policy/modules/apps/ada.if
+--- nsaserefpolicy/policy/modules/apps/ada.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/apps/ada.if	2006-04-04 06:28:18.000000000 -0400
+@@ -0,0 +1,203 @@
++## <summary>Java virtual machine</summary>
++
++#######################################
++## <summary>
++##	The per user domain template for the ada module.
++## </summary>
++## <desc>
++##	<p>
++##	This template creates a derived domains which are used
++##	for ada plugins that are executed by a browser.
++##	</p>
++##	<p>
++##	This template is invoked automatically for each user, and
++##	generally does not need to be invoked directly
++##	by policy writers.
++##	</p>
++## </desc>
++## <param name="userdomain_prefix">
++##	<summary>
++##	The prefix of the user domain (e.g., user
++##	is the prefix for user_t).
++##	</summary>
++## </param>
++## <param name="user_domain">
++##	<summary>
++##	The type of the user domain.
++##	</summary>
++## </param>
++## <param name="user_role">
++##	<summary>
++##	The role associated with the user domain.
++##	</summary>
++## </param>
++#
++template(`ada_per_userdomain_template',`
++	gen_require(`
++		type ada_exec_t;
++	')
++	
++	########################################
++	#
++	# Declarations
++	#
++
++	type $1_adaplugin_t;
++	domain_type($1_adaplugin_t)
++	role $3 types $1_adaplugin_t;
++	
++	type $1_adaplugin_tmp_t;
++	files_tmp_file($1_adaplugin_tmp_t)
++
++	type $1_adaplugin_tmpfs_t;
++	files_tmpfs_file($1_adaplugin_tmpfs_t)
++	
++	########################################
++	#
++	# Local policy
++	#
++
++	allow $1_adaplugin_t self:process { signal_perms getsched setsched execmem };
++	allow $1_adaplugin_t self:fifo_file rw_file_perms;
++	allow $1_adaplugin_t self:tcp_socket create_socket_perms;
++	allow $1_adaplugin_t self:udp_socket create_socket_perms;
++	
++	allow $1_adaplugin_t $2:unix_stream_socket connectto;
++	allow $1_adaplugin_t $2:unix_stream_socket { read write };
++	userdom_write_user_tmp_sockets($1,$1_adaplugin_t)
++
++	allow $1_adaplugin_t $1_adaplugin_tmp_t:dir create_dir_perms;
++	allow $1_adaplugin_t $1_adaplugin_tmp_t:file create_file_perms;
++	files_tmp_filetrans($1_adaplugin_t,$1_adaplugin_tmp_t,{ file dir })
++
++	allow $1_adaplugin_t $1_adaplugin_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
++	allow $1_adaplugin_t $1_adaplugin_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
++	allow $1_adaplugin_t $1_adaplugin_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
++	allow $1_adaplugin_t $1_adaplugin_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
++	allow $1_adaplugin_t $1_adaplugin_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
++	fs_tmpfs_filetrans($1_adaplugin_t,$1_adaplugin_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
++
++	# cjp: rw_dir_perms here doesnt make sense
++	allow $1_adaplugin_t $1_home_t:dir rw_dir_perms;
++	allow $1_adaplugin_t $1_home_t:file rw_file_perms;
++	allow $1_adaplugin_t $1_home_t:lnk_file { getattr read };
++
++	can_exec($1_adaplugin_t, ada_exec_t)
++	
++	# The user role is authorized for this domain.
++	domain_auto_trans($1_t, ada_exec_t, $1_adaplugin_t)
++	allow $1_adaplugin_t $2:fd use;
++	# Unrestricted inheritance from the caller.
++	allow $2 $1_adaplugin_t:process { noatsecure siginh rlimitinh };
++	allow $1_adaplugin_t $2:process signull;
++	
++	kernel_read_all_sysctls($1_adaplugin_t)
++	kernel_search_vm_sysctl($1_adaplugin_t)
++	kernel_read_network_state($1_adaplugin_t)
++	kernel_read_system_state($1_adaplugin_t)
++
++	# Search bin directory under adaplugin for adaplugin executable
++	corecmd_search_bin($1_adaplugin_t)
++
++	corenet_non_ipsec_sendrecv($1_adaplugin_t)
++	corenet_tcp_sendrecv_generic_if($1_adaplugin_t)
++	corenet_udp_sendrecv_generic_if($1_adaplugin_t)
++	corenet_raw_sendrecv_generic_if($1_adaplugin_t)
++	corenet_tcp_sendrecv_all_nodes($1_adaplugin_t)
++	corenet_udp_sendrecv_all_nodes($1_adaplugin_t)
++	corenet_raw_sendrecv_all_nodes($1_adaplugin_t)
++	corenet_tcp_sendrecv_all_ports($1_adaplugin_t)
++	corenet_udp_sendrecv_all_ports($1_adaplugin_t)
++	corenet_tcp_bind_all_nodes($1_adaplugin_t)
++	corenet_udp_bind_all_nodes($1_adaplugin_t)
++	corenet_tcp_connect_all_ports($1_adaplugin_t)
++
++	dev_read_sound($1_adaplugin_t)
++	dev_write_sound($1_adaplugin_t)
++	dev_read_urand($1_adaplugin_t)
++	dev_read_rand($1_adaplugin_t)
++
++	files_read_etc_files($1_adaplugin_t)
++	files_read_usr_files($1_adaplugin_t)
++	files_search_home($1_adaplugin_t)
++	files_search_var_lib($1_adaplugin_t)
++	files_read_etc_runtime_files($1_adaplugin_t)
++	# Read global fonts and font config
++	files_read_etc_files($1_adaplugin_t)
++
++	fs_getattr_xattr_fs($1_adaplugin_t)
++	fs_dontaudit_rw_tmpfs_files($1_adaplugin_t)
++
++	libs_use_ld_so($1_adaplugin_t)
++	libs_use_shared_libs($1_adaplugin_t)
++
++	logging_send_syslog_msg($1_adaplugin_t)
++
++	miscfiles_read_localization($1_adaplugin_t)
++	# Read global fonts and font config
++	miscfiles_read_fonts($1_adaplugin_t)
++
++	sysnet_read_config($1_adaplugin_t)
++
++	userdom_dontaudit_use_user_terminals($1,$1_adaplugin_t)
++	userdom_dontaudit_setattr_user_home_content_files($1,$1_adaplugin_t)
++	userdom_dontaudit_exec_user_home_content_files($1,$1_adaplugin_t)
++	userdom_manage_user_home_content_dirs($1,$1_adaplugin_t)
++	userdom_manage_user_home_content_files($1,$1_adaplugin_t)
++	userdom_manage_user_home_content_symlinks($1,$1_adaplugin_t)
++	userdom_manage_user_home_content_pipes($1,$1_adaplugin_t)
++	userdom_manage_user_home_content_sockets($1,$1_adaplugin_t)
++	userdom_user_home_dir_filetrans_user_home_content($1,$1_adaplugin_t,{ file lnk_file sock_file fifo_file })
++
++	tunable_policy(`allow_ada_execstack',`
++		allow $1_adaplugin_t self:process execstack;
++
++		allow $1_adaplugin_t $1_adaplugin_tmp_t:file execute;
++
++		libs_legacy_use_shared_libs($1_adaplugin_t)
++		libs_legacy_use_ld_so($1_adaplugin_t)
++		libs_use_lib_files($1_adaplugin_t)
++
++		miscfiles_legacy_read_localization($1_adaplugin_t)
++	')
++
++	optional_policy(`
++		nis_use_ypbind($1_adaplugin_t)
++	')
++
++	optional_policy(`
++		nscd_socket_use($1_adaplugin_t)
++	')
++
++	optional_policy(`
++		xserver_user_client_template($1,$1_adaplugin_t,$1_adaplugin_tmpfs_t)
++	')
++')
++
++########################################
++## <summary>
++##	Execute the ada program in the ada domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`ada_domtrans',`
++	ifdef(`targeted_policy',`
++		gen_require(`
++			type ada_t, ada_exec_t;
++		')
++
++		corecmd_search_bin($1)
++		domain_auto_trans($1, ada_exec_t, ada_t)
++
++		allow $1 ada_t:fd use;
++		allow ada_t $1:fd use;
++		allow ada_t $1:fifo_file rw_file_perms;
++		allow ada_t $1:process sigchld;
++	',`
++		errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
++	')
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ada.te serefpolicy-2.2.29/policy/modules/apps/ada.te
+--- nsaserefpolicy/policy/modules/apps/ada.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/apps/ada.te	2006-04-04 06:28:03.000000000 -0400
+@@ -0,0 +1,24 @@
++
++policy_module(ada,1.1.0)
++
++########################################
++#
++# Declarations
++#
++
++type ada_t;
++domain_type(ada_t)
++
++type ada_exec_t;
++files_type(ada_exec_t)
++
++########################################
++#
++# Local policy
++#
++
++ifdef(`targeted_policy',`
++	allow ada_t self:process { execstack execmem };
++	unconfined_domain_noaudit(ada_t)
++	role system_r types ada_t;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-2.2.29/policy/modules/apps/java.fc
+--- nsaserefpolicy/policy/modules/apps/java.fc	2006-03-23 16:46:10.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/apps/java.fc	2006-04-06 14:52:12.000000000 -0400
+@@ -4,3 +4,4 @@
+ /usr(/.*)?/bin/java.* 	--	gen_context(system_u:object_r:java_exec_t,s0)
+ /usr/bin/gcj-dbtool	--	gen_context(system_u:object_r:java_exec_t,s0)
+ /usr/bin/gij		--	gen_context(system_u:object_r:java_exec_t,s0)
++/opt(/.*)?/bin/java.* 	--	gen_context(system_u:object_r:java_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-2.2.29/policy/modules/apps/mono.if
 --- nsaserefpolicy/policy/modules/apps/mono.if	2006-03-23 16:46:10.000000000 -0500
 +++ serefpolicy-2.2.29/policy/modules/apps/mono.if	2006-04-03 10:03:24.000000000 -0400
@@ -448,16 +702,17 @@
  libs_use_ld_so(initrc_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.29/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2006-03-30 10:18:07.000000000 -0500
-+++ serefpolicy-2.2.29/policy/modules/system/libraries.fc	2006-04-03 14:29:38.000000000 -0400
-@@ -33,6 +33,7 @@
++++ serefpolicy-2.2.29/policy/modules/system/libraries.fc	2006-04-04 08:19:58.000000000 -0400
+@@ -33,6 +33,8 @@
  #
  /opt(/.*)?/lib(64)?(/.*)?			gen_context(system_u:object_r:lib_t,s0)
  /opt(/.*)?/lib(64)?/.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:shlib_t,s0)
-+/opt/.*/jre.*/lib/i386/libdeploy.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/.*/jre.*/libdeploy.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/.*/jre.*/libjvm.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  
  #
  # /sbin
-@@ -55,6 +56,8 @@
+@@ -55,6 +57,8 @@
  
  /usr(/.*)?/nvidia/.*\.so(\..*)?		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  
@@ -466,7 +721,7 @@
  /usr/lib(64)?/pgsql/test/regress/.*\.so 	--	gen_context(system_u:object_r:shlib_t,s0)
  
  /usr/lib/win32/.*			--	gen_context(system_u:object_r:shlib_t,s0)
-@@ -62,18 +65,27 @@
+@@ -62,18 +66,27 @@
  /usr/lib(64)?/im/.*\.so.*		--	gen_context(system_u:object_r:shlib_t,s0)
  /usr/lib(64)?/iiim/.*\.so.*		--	gen_context(system_u:object_r:shlib_t,s0)
  
@@ -495,7 +750,7 @@
  /usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  
-@@ -92,6 +104,7 @@
+@@ -92,6 +105,7 @@
  /usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libglide3\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -503,9 +758,13 @@
  /usr/lib(64)?/libdv\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/helix/plugins/oggfformat\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/helix/plugins/theorarend\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -170,10 +183,9 @@
+@@ -168,12 +182,12 @@
+ /usr/lib(64)?/libdivxencore.so.0		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ 
  # Java, Sun Microsystems (JPackage SRPM)
- /usr/.*/jre.*/lib/i386/libdeploy.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/.*/jre.*/lib/i386/libdeploy.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/.*/jre.*/libdeploy.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/.*/jre.*/libjvm.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  
 -/usr(/.*)?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:shlib_t,s0)
 -/usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -620,18 +879,31 @@
  ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.2.29/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2006-03-29 09:34:53.000000000 -0500
-+++ serefpolicy-2.2.29/policy/modules/system/unconfined.te	2006-04-03 12:27:56.000000000 -0400
-@@ -106,10 +106,6 @@
++++ serefpolicy-2.2.29/policy/modules/system/unconfined.te	2006-04-04 06:30:36.000000000 -0400
+@@ -94,19 +94,19 @@
+ 	')
+ 
+ 	optional_policy(`
+-		lpd_domtrans_checkpc(unconfined_t)
++		ada_domtrans(unconfined_t)
+ 	')
+ 
+ 	optional_policy(`
+-		modutils_domtrans_update_mods(unconfined_t)
++		lpd_domtrans_checkpc(unconfined_t)
+ 	')
+ 
+ 	optional_policy(`
+-		mono_domtrans(unconfined_t)
++		modutils_domtrans_update_mods(unconfined_t)
  	')
  
  	optional_policy(`
 -		netutils_domtrans_ping(unconfined_t)
--	')
--
--	optional_policy(`
- 		portmap_domtrans_helper(unconfined_t)
++		mono_domtrans(unconfined_t)
  	')
  
+ 	optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.29/policy/modules/system/userdomain.te
 --- nsaserefpolicy/policy/modules/system/userdomain.te	2006-03-28 12:58:49.000000000 -0500
 +++ serefpolicy-2.2.29/policy/modules/system/userdomain.te	2006-03-31 11:21:52.000000000 -0500


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.167
retrieving revision 1.168
diff -u -r1.167 -r1.168
--- selinux-policy.spec	4 Apr 2006 10:07:53 -0000	1.167
+++ selinux-policy.spec	6 Apr 2006 19:08:54 -0000	1.168
@@ -16,7 +16,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 2.2.29
-Release: 3
+Release: 4
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -320,6 +320,10 @@
 %endif
 
 %changelog
+* Mon Mar 30 2006 Dan Walsh <dwalsh at redhat.com> 2.2.29-4
+- More textrel_shlib_t file path fixes
+- Add ada support
+
 * Mon Mar 30 2006 Dan Walsh <dwalsh at redhat.com> 2.2.29-3
 - Get auditctl working in MLS policy
 




More information about the fedora-cvs-commits mailing list