rpms/selinux-policy/devel booleans-targeted.conf, 1.6, 1.7 modules-targeted.conf, 1.19, 1.20 policy-20060323.patch, 1.9, 1.10 selinux-policy.spec, 1.167, 1.168
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Thu Apr 6 19:09:09 UTC 2006
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv23371
Modified Files:
booleans-targeted.conf modules-targeted.conf
policy-20060323.patch selinux-policy.spec
Log Message:
* Mon Mar 30 2006 Dan Walsh <dwalsh at redhat.com> 2.2.29-4
- More textrel_shlib_t file path fixes
- Add ada support
Index: booleans-targeted.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/booleans-targeted.conf,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- booleans-targeted.conf 19 Feb 2006 12:17:15 -0000 1.6
+++ booleans-targeted.conf 6 Apr 2006 19:08:54 -0000 1.7
@@ -8,7 +8,7 @@
# Allow making the stack executable via mprotect.Also requires allow_execmem.
#
-allow_execstack = true
+allow_execstack = false
# Allow ftp servers to modify public filesused for public file transfer services.
#
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.19
retrieving revision 1.20
diff -u -r1.19 -r1.20
--- modules-targeted.conf 24 Mar 2006 16:44:06 -0000 1.19
+++ modules-targeted.conf 6 Apr 2006 19:08:54 -0000 1.20
@@ -1001,6 +1001,13 @@
#
java = base
+# Layer: apps
+# Module: ada
+#
+# ada executable
+#
+ada = base
+
# Layer: services
# Module: logwatch
#
policy-20060323.patch:
admin/rpm.te | 1
apps/ada.fc | 7 +
apps/ada.if | 203 +++++++++++++++++++++++++++++++++++++++++++++
apps/ada.te | 24 +++++
apps/java.fc | 1
apps/mono.if | 23 +++++
apps/mono.te | 1
kernel/devices.fc | 1
kernel/devices.if | 40 ++++++++
kernel/files.if | 15 +++
kernel/mls.te | 1
services/apache.if | 20 ++++
services/automount.te | 1
services/avahi.te | 4
services/bluetooth.te | 7 +
services/cups.te | 2
services/dbus.te | 1
services/hal.te | 13 ++
services/networkmanager.te | 1
services/nscd.if | 20 ++++
services/samba.te | 2
services/snmp.te | 1
services/xserver.if | 21 ++++
system/fstools.te | 1
system/getty.fc | 1
system/getty.te | 2
system/init.te | 1
system/libraries.fc | 26 ++++-
system/logging.if | 32 +++++++
system/mount.te | 4
system/unconfined.if | 17 +--
system/unconfined.te | 8 -
system/userdomain.te | 4
33 files changed, 477 insertions(+), 29 deletions(-)
Index: policy-20060323.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060323.patch,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- policy-20060323.patch 4 Apr 2006 10:07:53 -0000 1.9
+++ policy-20060323.patch 6 Apr 2006 19:08:54 -0000 1.10
@@ -9,6 +9,260 @@
selinux_get_fs_mount(rpm_t)
selinux_validate_context(rpm_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ada.fc serefpolicy-2.2.29/policy/modules/apps/ada.fc
+--- nsaserefpolicy/policy/modules/apps/ada.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/apps/ada.fc 2006-04-04 06:29:46.000000000 -0400
+@@ -0,0 +1,7 @@
++#
++# /usr
++#
++/usr/libexec/gcc(/.*)?/gnat1 -- gen_context(system_u:object_r:ada_exec_t,s0)
++/usr/bin/gnatbind -- gen_context(system_u:object_r:ada_exec_t,s0)
++/usr/bin/gnatls -- gen_context(system_u:object_r:ada_exec_t,s0)
++/usr/bin/gnatmake -- gen_context(system_u:object_r:ada_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ada.if serefpolicy-2.2.29/policy/modules/apps/ada.if
+--- nsaserefpolicy/policy/modules/apps/ada.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/apps/ada.if 2006-04-04 06:28:18.000000000 -0400
+@@ -0,0 +1,203 @@
++## <summary>Java virtual machine</summary>
++
++#######################################
++## <summary>
++## The per user domain template for the ada module.
++## </summary>
++## <desc>
++## <p>
++## This template creates a derived domains which are used
++## for ada plugins that are executed by a browser.
++## </p>
++## <p>
++## This template is invoked automatically for each user, and
++## generally does not need to be invoked directly
++## by policy writers.
++## </p>
++## </desc>
++## <param name="userdomain_prefix">
++## <summary>
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
++## <param name="user_domain">
++## <summary>
++## The type of the user domain.
++## </summary>
++## </param>
++## <param name="user_role">
++## <summary>
++## The role associated with the user domain.
++## </summary>
++## </param>
++#
++template(`ada_per_userdomain_template',`
++ gen_require(`
++ type ada_exec_t;
++ ')
++
++ ########################################
++ #
++ # Declarations
++ #
++
++ type $1_adaplugin_t;
++ domain_type($1_adaplugin_t)
++ role $3 types $1_adaplugin_t;
++
++ type $1_adaplugin_tmp_t;
++ files_tmp_file($1_adaplugin_tmp_t)
++
++ type $1_adaplugin_tmpfs_t;
++ files_tmpfs_file($1_adaplugin_tmpfs_t)
++
++ ########################################
++ #
++ # Local policy
++ #
++
++ allow $1_adaplugin_t self:process { signal_perms getsched setsched execmem };
++ allow $1_adaplugin_t self:fifo_file rw_file_perms;
++ allow $1_adaplugin_t self:tcp_socket create_socket_perms;
++ allow $1_adaplugin_t self:udp_socket create_socket_perms;
++
++ allow $1_adaplugin_t $2:unix_stream_socket connectto;
++ allow $1_adaplugin_t $2:unix_stream_socket { read write };
++ userdom_write_user_tmp_sockets($1,$1_adaplugin_t)
++
++ allow $1_adaplugin_t $1_adaplugin_tmp_t:dir create_dir_perms;
++ allow $1_adaplugin_t $1_adaplugin_tmp_t:file create_file_perms;
++ files_tmp_filetrans($1_adaplugin_t,$1_adaplugin_tmp_t,{ file dir })
++
++ allow $1_adaplugin_t $1_adaplugin_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
++ allow $1_adaplugin_t $1_adaplugin_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
++ allow $1_adaplugin_t $1_adaplugin_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
++ allow $1_adaplugin_t $1_adaplugin_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
++ allow $1_adaplugin_t $1_adaplugin_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
++ fs_tmpfs_filetrans($1_adaplugin_t,$1_adaplugin_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
++
++ # cjp: rw_dir_perms here doesnt make sense
++ allow $1_adaplugin_t $1_home_t:dir rw_dir_perms;
++ allow $1_adaplugin_t $1_home_t:file rw_file_perms;
++ allow $1_adaplugin_t $1_home_t:lnk_file { getattr read };
++
++ can_exec($1_adaplugin_t, ada_exec_t)
++
++ # The user role is authorized for this domain.
++ domain_auto_trans($1_t, ada_exec_t, $1_adaplugin_t)
++ allow $1_adaplugin_t $2:fd use;
++ # Unrestricted inheritance from the caller.
++ allow $2 $1_adaplugin_t:process { noatsecure siginh rlimitinh };
++ allow $1_adaplugin_t $2:process signull;
++
++ kernel_read_all_sysctls($1_adaplugin_t)
++ kernel_search_vm_sysctl($1_adaplugin_t)
++ kernel_read_network_state($1_adaplugin_t)
++ kernel_read_system_state($1_adaplugin_t)
++
++ # Search bin directory under adaplugin for adaplugin executable
++ corecmd_search_bin($1_adaplugin_t)
++
++ corenet_non_ipsec_sendrecv($1_adaplugin_t)
++ corenet_tcp_sendrecv_generic_if($1_adaplugin_t)
++ corenet_udp_sendrecv_generic_if($1_adaplugin_t)
++ corenet_raw_sendrecv_generic_if($1_adaplugin_t)
++ corenet_tcp_sendrecv_all_nodes($1_adaplugin_t)
++ corenet_udp_sendrecv_all_nodes($1_adaplugin_t)
++ corenet_raw_sendrecv_all_nodes($1_adaplugin_t)
++ corenet_tcp_sendrecv_all_ports($1_adaplugin_t)
++ corenet_udp_sendrecv_all_ports($1_adaplugin_t)
++ corenet_tcp_bind_all_nodes($1_adaplugin_t)
++ corenet_udp_bind_all_nodes($1_adaplugin_t)
++ corenet_tcp_connect_all_ports($1_adaplugin_t)
++
++ dev_read_sound($1_adaplugin_t)
++ dev_write_sound($1_adaplugin_t)
++ dev_read_urand($1_adaplugin_t)
++ dev_read_rand($1_adaplugin_t)
++
++ files_read_etc_files($1_adaplugin_t)
++ files_read_usr_files($1_adaplugin_t)
++ files_search_home($1_adaplugin_t)
++ files_search_var_lib($1_adaplugin_t)
++ files_read_etc_runtime_files($1_adaplugin_t)
++ # Read global fonts and font config
++ files_read_etc_files($1_adaplugin_t)
++
++ fs_getattr_xattr_fs($1_adaplugin_t)
++ fs_dontaudit_rw_tmpfs_files($1_adaplugin_t)
++
++ libs_use_ld_so($1_adaplugin_t)
++ libs_use_shared_libs($1_adaplugin_t)
++
++ logging_send_syslog_msg($1_adaplugin_t)
++
++ miscfiles_read_localization($1_adaplugin_t)
++ # Read global fonts and font config
++ miscfiles_read_fonts($1_adaplugin_t)
++
++ sysnet_read_config($1_adaplugin_t)
++
++ userdom_dontaudit_use_user_terminals($1,$1_adaplugin_t)
++ userdom_dontaudit_setattr_user_home_content_files($1,$1_adaplugin_t)
++ userdom_dontaudit_exec_user_home_content_files($1,$1_adaplugin_t)
++ userdom_manage_user_home_content_dirs($1,$1_adaplugin_t)
++ userdom_manage_user_home_content_files($1,$1_adaplugin_t)
++ userdom_manage_user_home_content_symlinks($1,$1_adaplugin_t)
++ userdom_manage_user_home_content_pipes($1,$1_adaplugin_t)
++ userdom_manage_user_home_content_sockets($1,$1_adaplugin_t)
++ userdom_user_home_dir_filetrans_user_home_content($1,$1_adaplugin_t,{ file lnk_file sock_file fifo_file })
++
++ tunable_policy(`allow_ada_execstack',`
++ allow $1_adaplugin_t self:process execstack;
++
++ allow $1_adaplugin_t $1_adaplugin_tmp_t:file execute;
++
++ libs_legacy_use_shared_libs($1_adaplugin_t)
++ libs_legacy_use_ld_so($1_adaplugin_t)
++ libs_use_lib_files($1_adaplugin_t)
++
++ miscfiles_legacy_read_localization($1_adaplugin_t)
++ ')
++
++ optional_policy(`
++ nis_use_ypbind($1_adaplugin_t)
++ ')
++
++ optional_policy(`
++ nscd_socket_use($1_adaplugin_t)
++ ')
++
++ optional_policy(`
++ xserver_user_client_template($1,$1_adaplugin_t,$1_adaplugin_tmpfs_t)
++ ')
++')
++
++########################################
++## <summary>
++## Execute the ada program in the ada domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ada_domtrans',`
++ ifdef(`targeted_policy',`
++ gen_require(`
++ type ada_t, ada_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domain_auto_trans($1, ada_exec_t, ada_t)
++
++ allow $1 ada_t:fd use;
++ allow ada_t $1:fd use;
++ allow ada_t $1:fifo_file rw_file_perms;
++ allow ada_t $1:process sigchld;
++ ',`
++ errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
++ ')
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ada.te serefpolicy-2.2.29/policy/modules/apps/ada.te
+--- nsaserefpolicy/policy/modules/apps/ada.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/apps/ada.te 2006-04-04 06:28:03.000000000 -0400
+@@ -0,0 +1,24 @@
++
++policy_module(ada,1.1.0)
++
++########################################
++#
++# Declarations
++#
++
++type ada_t;
++domain_type(ada_t)
++
++type ada_exec_t;
++files_type(ada_exec_t)
++
++########################################
++#
++# Local policy
++#
++
++ifdef(`targeted_policy',`
++ allow ada_t self:process { execstack execmem };
++ unconfined_domain_noaudit(ada_t)
++ role system_r types ada_t;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-2.2.29/policy/modules/apps/java.fc
+--- nsaserefpolicy/policy/modules/apps/java.fc 2006-03-23 16:46:10.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/apps/java.fc 2006-04-06 14:52:12.000000000 -0400
+@@ -4,3 +4,4 @@
+ /usr(/.*)?/bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
+ /usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0)
+ /usr/bin/gij -- gen_context(system_u:object_r:java_exec_t,s0)
++/opt(/.*)?/bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-2.2.29/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2006-03-23 16:46:10.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/apps/mono.if 2006-04-03 10:03:24.000000000 -0400
@@ -448,16 +702,17 @@
libs_use_ld_so(initrc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.29/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2006-03-30 10:18:07.000000000 -0500
-+++ serefpolicy-2.2.29/policy/modules/system/libraries.fc 2006-04-03 14:29:38.000000000 -0400
-@@ -33,6 +33,7 @@
++++ serefpolicy-2.2.29/policy/modules/system/libraries.fc 2006-04-04 08:19:58.000000000 -0400
+@@ -33,6 +33,8 @@
#
/opt(/.*)?/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/opt(/.*)?/lib(64)?/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
-+/opt/.*/jre.*/lib/i386/libdeploy.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/.*/jre.*/libdeploy.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/.*/jre.*/libjvm.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
#
# /sbin
-@@ -55,6 +56,8 @@
+@@ -55,6 +57,8 @@
/usr(/.*)?/nvidia/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -466,7 +721,7 @@
/usr/lib(64)?/pgsql/test/regress/.*\.so -- gen_context(system_u:object_r:shlib_t,s0)
/usr/lib/win32/.* -- gen_context(system_u:object_r:shlib_t,s0)
-@@ -62,18 +65,27 @@
+@@ -62,18 +66,27 @@
/usr/lib(64)?/im/.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
/usr/lib(64)?/iiim/.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
@@ -495,7 +750,7 @@
/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -92,6 +104,7 @@
+@@ -92,6 +105,7 @@
/usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -503,9 +758,13 @@
/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/plugins/oggfformat\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/plugins/theorarend\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -170,10 +183,9 @@
+@@ -168,12 +182,12 @@
+ /usr/lib(64)?/libdivxencore.so.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
# Java, Sun Microsystems (JPackage SRPM)
- /usr/.*/jre.*/lib/i386/libdeploy.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/.*/jre.*/lib/i386/libdeploy.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/.*/jre.*/libdeploy.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/.*/jre.*/libjvm.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr(/.*)?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:shlib_t,s0)
-/usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -620,18 +879,31 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.2.29/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2006-03-29 09:34:53.000000000 -0500
-+++ serefpolicy-2.2.29/policy/modules/system/unconfined.te 2006-04-03 12:27:56.000000000 -0400
-@@ -106,10 +106,6 @@
++++ serefpolicy-2.2.29/policy/modules/system/unconfined.te 2006-04-04 06:30:36.000000000 -0400
+@@ -94,19 +94,19 @@
+ ')
+
+ optional_policy(`
+- lpd_domtrans_checkpc(unconfined_t)
++ ada_domtrans(unconfined_t)
+ ')
+
+ optional_policy(`
+- modutils_domtrans_update_mods(unconfined_t)
++ lpd_domtrans_checkpc(unconfined_t)
+ ')
+
+ optional_policy(`
+- mono_domtrans(unconfined_t)
++ modutils_domtrans_update_mods(unconfined_t)
')
optional_policy(`
- netutils_domtrans_ping(unconfined_t)
-- ')
--
-- optional_policy(`
- portmap_domtrans_helper(unconfined_t)
++ mono_domtrans(unconfined_t)
')
+ optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.29/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2006-03-28 12:58:49.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/system/userdomain.te 2006-03-31 11:21:52.000000000 -0500
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.167
retrieving revision 1.168
diff -u -r1.167 -r1.168
--- selinux-policy.spec 4 Apr 2006 10:07:53 -0000 1.167
+++ selinux-policy.spec 6 Apr 2006 19:08:54 -0000 1.168
@@ -16,7 +16,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.2.29
-Release: 3
+Release: 4
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -320,6 +320,10 @@
%endif
%changelog
+* Mon Mar 30 2006 Dan Walsh <dwalsh at redhat.com> 2.2.29-4
+- More textrel_shlib_t file path fixes
+- Add ada support
+
* Mon Mar 30 2006 Dan Walsh <dwalsh at redhat.com> 2.2.29-3
- Get auditctl working in MLS policy
More information about the fedora-cvs-commits
mailing list