rpms/selinux-policy/devel policy-20081111.patch, 1.5, 1.6 selinux-policy.spec, 1.749, 1.750
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Dec 4 18:45:36 UTC 2008
- Previous message (by thread): rpms/lcms/devel lcms.spec,1.19,1.20
- Next message (by thread): rpms/m4ri/devel import.log, NONE, 1.1 m4ri-license-clarification.mbox, NONE, 1.1 m4ri.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv12477
Modified Files:
policy-20081111.patch selinux-policy.spec
Log Message:
* Thu Dec 4 2008 Dan Walsh <dwalsh at redhat.com> 3.6.1-5
- Allow iptables to talk to terminals
policy-20081111.patch:
Index: policy-20081111.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20081111.patch,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- policy-20081111.patch 3 Dec 2008 23:40:18 -0000 1.5
+++ policy-20081111.patch 4 Dec 2008 18:45:06 -0000 1.6
@@ -1457,8 +1457,8 @@
+#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.1/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2008-11-11 16:13:41.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/apps/gnome.if 2008-12-03 16:50:28.000000000 -0500
-@@ -91,3 +91,131 @@
++++ serefpolicy-3.6.1/policy/modules/apps/gnome.if 2008-12-04 13:27:45.000000000 -0500
+@@ -91,3 +91,150 @@
allow $1 gnome_home_t:file manage_file_perms;
userdom_search_user_home_dirs($1)
')
@@ -1502,7 +1502,7 @@
+ type gnome_home_t;
+ ')
+
-+ read_files_pattern($2, gnome_home_t, gnome_home_t)
++ read_files_pattern($1, gnome_home_t, gnome_home_t)
+')
+
+########################################
@@ -1569,6 +1569,25 @@
+
+########################################
+## <summary>
++## manage gconf home files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gnome_manage_gconf_home_files',`
++ gen_require(`
++ type gconf_home_t;
++ ')
++
++ allow $1 gconf_home_t:dir list_dir_perms;
++ manage_files_pattern($1, gconf_home_t, gconf_home_t)
++')
++
++########################################
++## <summary>
+## Connect to gnome over an unix stream socket.
+## </summary>
+## <param name="domain">
@@ -1979,8 +1998,8 @@
+seutil_domtrans_setfiles_mac(livecd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.6.1/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2008-08-07 11:15:02.000000000 -0400
-+++ serefpolicy-3.6.1/policy/modules/apps/mono.if 2008-11-25 09:45:43.000000000 -0500
-@@ -21,6 +21,99 @@
++++ serefpolicy-3.6.1/policy/modules/apps/mono.if 2008-12-04 13:26:14.000000000 -0500
+@@ -21,6 +21,103 @@
########################################
## <summary>
@@ -2073,6 +2092,10 @@
+
+ fs_dontaudit_rw_tmpfs_files($1_mono_t)
+ corecmd_bin_domtrans($1_mono_t, $1_t)
++
++ optional_policy(`
++ xserver_role($1_r, $1_mono_t)
++ ')
+')
+
+########################################
@@ -2080,7 +2103,7 @@
## Execute the mono program in the caller domain.
## </summary>
## <param name="domain">
-@@ -31,7 +124,7 @@
+@@ -31,7 +128,7 @@
#
interface(`mono_exec',`
gen_require(`
@@ -10568,8 +10591,19 @@
/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.1/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/dbus.if 2008-11-25 09:45:43.000000000 -0500
-@@ -185,10 +185,12 @@
++++ serefpolicy-3.6.1/policy/modules/services/dbus.if 2008-12-04 13:28:31.000000000 -0500
+@@ -160,6 +160,10 @@
+ ')
+
+ optional_policy(`
++ gnome_read_gconf_home_files($1_dbusd_t)
++ ')
++
++ optional_policy(`
+ hal_dbus_chat($1_dbusd_t)
+ ')
+
+@@ -185,10 +189,12 @@
type system_dbusd_t, system_dbusd_t;
type system_dbusd_var_run_t, system_dbusd_var_lib_t;
class dbus send_msg;
@@ -10583,7 +10617,7 @@
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($1)
-@@ -197,6 +199,10 @@
+@@ -197,6 +203,10 @@
files_search_pids($1)
stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
dbus_read_config($1)
@@ -10594,7 +10628,7 @@
')
#######################################
-@@ -244,6 +250,35 @@
+@@ -244,6 +254,35 @@
########################################
## <summary>
@@ -10630,7 +10664,7 @@
## Read dbus configuration.
## </summary>
## <param name="domain">
-@@ -318,3 +353,77 @@
+@@ -318,3 +357,77 @@
allow $1 system_dbusd_t:dbus *;
')
@@ -15596,8 +15630,8 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.6.1/policy/modules/services/polkit.te
--- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/polkit.te 2008-11-25 09:45:43.000000000 -0500
-@@ -0,0 +1,218 @@
++++ serefpolicy-3.6.1/policy/modules/services/polkit.te 2008-12-04 11:20:36.000000000 -0500
+@@ -0,0 +1,222 @@
+policy_module(polkit_auth, 1.0.0)
+
+########################################
@@ -15715,9 +15749,13 @@
+')
+
+optional_policy(`
++ dbus_system_domain(polkit_auth_exec_t, polkit_auth_t)
++
+ dbus_session_bus_client(polkit_auth_t)
-+ consolekit_dbus_chat(polkit_auth_t)
-+ dbus_system_domain(polkit_exec_t, polkit_t)
++
++ optional_policy(`
++ consolekit_dbus_chat(polkit_t)
++ ')
+')
+
+optional_policy(`
@@ -20483,7 +20521,7 @@
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.1/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2008-11-11 16:13:47.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/xserver.if 2008-12-03 16:42:08.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/services/xserver.if 2008-12-04 13:08:52.000000000 -0500
@@ -397,11 +397,12 @@
gen_require(`
type xdm_t, xdm_tmp_t;
@@ -20854,18 +20892,6 @@
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain complete control over the
## display.
-@@ -1171,8 +1468,9 @@
- #
- interface(`xserver_unconfined',`
- gen_require(`
-- attribute xserver_unconfined_type;
-+ attribute xserver_unconfined_type, x_domain;
- ')
-
-- typeattribute $1 xserver_unconfined_type;
-+ typeattribute $1 xserver_unconfined_type, x_domain;
- ')
-+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.1/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2008-11-18 18:57:20.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/services/xserver.te 2008-12-03 18:27:33.000000000 -0500
@@ -22550,7 +22576,7 @@
allow setkey_t ipsec_conf_file_t:dir list_dir_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.1/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/system/iptables.te 2008-11-27 06:12:53.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/system/iptables.te 2008-12-04 08:58:18.000000000 -0500
@@ -22,12 +22,12 @@
# Iptables local policy
#
@@ -22566,6 +22592,14 @@
files_pid_filetrans(iptables_t,iptables_var_run_t,file)
can_exec(iptables_t,iptables_exec_t)
+@@ -53,6 +53,7 @@
+ mls_file_read_all_levels(iptables_t)
+
+ term_dontaudit_use_console(iptables_t)
++term_use_all_terms(iptables_t)
+
+ domain_use_interactive_fds(iptables_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.1/policy/modules/system/iscsi.te
--- nsaserefpolicy/policy/modules/system/iscsi.te 2008-11-11 16:13:48.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/system/iscsi.te 2008-11-25 09:45:43.000000000 -0500
@@ -22589,7 +22623,7 @@
allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.1/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2008-08-13 15:24:56.000000000 -0400
-+++ serefpolicy-3.6.1/policy/modules/system/libraries.fc 2008-12-01 08:43:02.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/system/libraries.fc 2008-12-04 08:08:10.000000000 -0500
@@ -60,12 +60,15 @@
#
# /opt
@@ -22676,16 +22710,17 @@
/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -267,6 +283,8 @@
+@@ -267,6 +283,9 @@
/usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/(virtualbox(-ose)?/)?(components/)?VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/virtualbox/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
# Java, Sun Microsystems (JPackage SRPM)
/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -291,6 +309,8 @@
+@@ -291,6 +310,8 @@
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -22694,7 +22729,7 @@
') dnl end distro_redhat
#
-@@ -310,3 +330,20 @@
+@@ -310,3 +331,20 @@
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -22891,7 +22926,7 @@
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.1/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/system/logging.te 2008-11-25 09:45:43.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/system/logging.te 2008-12-04 08:25:26.000000000 -0500
@@ -126,7 +126,7 @@
allow auditd_t self:process { signal_perms setpgid setsched };
allow auditd_t self:file rw_file_perms;
@@ -22901,7 +22936,16 @@
allow auditd_t self:tcp_socket create_stream_socket_perms;
allow auditd_t auditd_etc_t:dir list_dir_perms;
-@@ -215,9 +215,9 @@
+@@ -179,6 +179,8 @@
+ logging_domtrans_dispatcher(auditd_t)
+ logging_signal_dispatcher(auditd_t)
+
++auth_use_nsswitch(auditd_t)
++
+ miscfiles_read_localization(auditd_t)
+
+ mls_file_read_all_levels(auditd_t)
+@@ -215,9 +217,9 @@
# audit dispatcher local policy
#
@@ -22913,7 +22957,7 @@
allow audisp_t self:unix_stream_socket create_stream_socket_perms;
allow audisp_t self:unix_dgram_socket create_socket_perms;
-@@ -231,9 +231,12 @@
+@@ -231,9 +233,12 @@
domain_use_interactive_fds(audisp_t)
files_read_etc_files(audisp_t)
@@ -22926,7 +22970,24 @@
logging_send_syslog_msg(audisp_t)
miscfiles_read_localization(audisp_t)
-@@ -337,7 +340,7 @@
+@@ -253,11 +258,16 @@
+ corenet_tcp_sendrecv_all_nodes(audisp_remote_t)
+ corenet_tcp_connect_audit_port(audisp_remote_t)
+ corenet_sendrecv_audit_client_packets(audisp_remote_t)
++corenet_tcp_bind_audit_port(audisp_remote_t)
++corenet_tcp_sendrecv_all_ports(audisp_remote_t)
++corenet_tcp_bind_all_nodes(audisp_remote_t)
+
+ files_read_etc_files(audisp_remote_t)
+
+ logging_send_syslog_msg(audisp_remote_t)
+
++auth_use_nsswitch(audisp_remote_t)
++
+ miscfiles_read_localization(audisp_remote_t)
+
+ sysnet_dns_name_resolve(audisp_remote_t)
+@@ -337,7 +347,7 @@
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
allow syslogd_t self:unix_dgram_socket sendto;
@@ -23524,7 +23585,16 @@
fs_dontaudit_list_tmpfs(mdadm_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.6.1/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2008-08-07 11:15:12.000000000 -0400
-+++ serefpolicy-3.6.1/policy/modules/system/selinuxutil.fc 2008-11-25 09:45:43.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/system/selinuxutil.fc 2008-12-04 09:30:48.000000000 -0500
+@@ -6,7 +6,7 @@
+ /etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
+ /etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
+ /etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
+-/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,mls_systemhigh)
++/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+ /etc/selinux/([^/]*/)?setrans\.conf -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
+ /etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
+ /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
@@ -38,7 +38,7 @@
/usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0)
/usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0)
@@ -23938,7 +24008,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.1/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/system/selinuxutil.te 2008-11-25 09:45:43.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/system/selinuxutil.te 2008-12-04 11:48:11.000000000 -0500
@@ -23,6 +23,9 @@
type selinux_config_t;
files_type(selinux_config_t)
@@ -23949,7 +24019,19 @@
type checkpolicy_t, can_write_binary_policy;
type checkpolicy_exec_t;
application_domain(checkpolicy_t, checkpolicy_exec_t)
-@@ -75,7 +78,6 @@
+@@ -58,8 +61,9 @@
+ # policy_config_t is the type of /etc/security/selinux/*
+ # the security server policy configuration.
+ #
+-type policy_config_t;
+-files_type(policy_config_t)
++#type policy_config_t;
++#files_type(policy_config_t)
++typealias semanage_store_t alias policy_config_t;
+
+ neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
+ #neverallow ~can_write_binary_policy policy_config_t:file { write append };
+@@ -75,7 +79,6 @@
type restorecond_exec_t;
init_daemon_domain(restorecond_t,restorecond_exec_t)
domain_obj_id_change_exemption(restorecond_t)
@@ -23957,7 +24039,7 @@
type restorecond_var_run_t;
files_pid_file(restorecond_var_run_t)
-@@ -92,6 +94,10 @@
+@@ -92,6 +95,10 @@
domain_interactive_fd(semanage_t)
role system_r types semanage_t;
@@ -23968,7 +24050,7 @@
type semanage_store_t;
files_type(semanage_store_t)
-@@ -109,6 +115,11 @@
+@@ -109,6 +116,11 @@
init_system_domain(setfiles_t,setfiles_exec_t)
domain_obj_id_change_exemption(setfiles_t)
@@ -23980,7 +24062,7 @@
########################################
#
# Checkpolicy local policy
-@@ -166,6 +177,7 @@
+@@ -166,6 +178,7 @@
files_read_etc_runtime_files(load_policy_t)
fs_getattr_xattr_fs(load_policy_t)
@@ -23988,7 +24070,7 @@
mls_file_read_all_levels(load_policy_t)
-@@ -191,15 +203,6 @@
+@@ -191,15 +204,6 @@
')
')
@@ -24004,7 +24086,7 @@
########################################
#
# Newrole local policy
-@@ -217,7 +220,7 @@
+@@ -217,7 +221,7 @@
allow newrole_t self:msg { send receive };
allow newrole_t self:unix_dgram_socket sendto;
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -24013,7 +24095,7 @@
read_files_pattern(newrole_t,default_context_t,default_context_t)
read_lnk_files_pattern(newrole_t,default_context_t,default_context_t)
-@@ -270,12 +273,14 @@
+@@ -270,12 +274,14 @@
init_rw_utmp(newrole_t)
init_use_fds(newrole_t)
@@ -24028,7 +24110,7 @@
# for some PAM modules and for cwd
userdom_dontaudit_search_user_home_content(newrole_t)
userdom_search_user_home_dirs(newrole_t)
-@@ -336,6 +341,8 @@
+@@ -336,6 +342,8 @@
seutil_libselinux_linked(restorecond_t)
@@ -24037,7 +24119,7 @@
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(restorecond_t)
-@@ -354,7 +361,7 @@
+@@ -354,7 +362,7 @@
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file rw_file_perms;
@@ -24046,7 +24128,7 @@
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
-@@ -383,7 +390,6 @@
+@@ -383,7 +391,6 @@
auth_use_nsswitch(run_init_t)
auth_domtrans_chk_passwd(run_init_t)
@@ -24054,7 +24136,7 @@
auth_dontaudit_read_shadow(run_init_t)
init_spec_domtrans_script(run_init_t)
-@@ -421,61 +427,22 @@
+@@ -421,61 +428,22 @@
# semodule local policy
#
@@ -24124,7 +24206,7 @@
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)
-@@ -484,12 +451,23 @@
+@@ -484,12 +452,23 @@
files_read_var_lib_symlinks(semanage_t)
')
@@ -24148,7 +24230,7 @@
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
-@@ -499,111 +477,36 @@
+@@ -499,111 +478,36 @@
userdom_read_user_tmp_files(semanage_t)
')
@@ -24792,7 +24874,7 @@
+/usr/bin/gcl -- gen_context(system_u:object_r:execmem_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.1/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/system/unconfined.if 2008-12-01 16:30:53.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/system/unconfined.if 2008-12-04 11:28:02.000000000 -0500
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -24827,11 +24909,14 @@
kernel_unconfined($1)
corenet_unconfined($1)
-@@ -44,6 +44,11 @@
+@@ -44,6 +44,14 @@
fs_unconfined($1)
selinux_unconfined($1)
+ domain_mmap_low_type($1)
++
++ ubac_process_exempt($1)
++
+ tunable_policy(`allow_unconfined_mmap_low',`
+ domain_mmap_low($1)
+ ')
@@ -24839,7 +24924,7 @@
tunable_policy(`allow_execheap',`
# Allow making the stack executable via mprotect.
allow $1 self:process execheap;
-@@ -69,6 +74,7 @@
+@@ -69,6 +77,7 @@
optional_policy(`
# Communicate via dbusd.
dbus_system_bus_unconfined($1)
@@ -24847,7 +24932,7 @@
')
optional_policy(`
-@@ -367,6 +373,24 @@
+@@ -367,6 +376,24 @@
########################################
## <summary>
@@ -24872,7 +24957,7 @@
## Send generic signals to the unconfined domain.
## </summary>
## <param name="domain">
-@@ -581,3 +605,150 @@
+@@ -581,3 +608,150 @@
allow $1 unconfined_t:dbus acquire_svc;
')
@@ -25369,7 +25454,7 @@
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-11-13 18:40:02.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/system/userdomain.if 2008-12-02 14:58:08.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/system/userdomain.if 2008-12-04 13:27:59.000000000 -0500
@@ -30,8 +30,9 @@
')
@@ -25621,12 +25706,10 @@
- gen_require(`
- type $1_t;
- ')
-+interface(`userdom_basic_networking',`
-
+-
- allow $1_t self:tcp_socket create_stream_socket_perms;
- allow $1_t self:udp_socket create_socket_perms;
-+ allow $1 self:tcp_socket create_stream_socket_perms;
-+ allow $1 self:udp_socket create_socket_perms;
++interface(`userdom_basic_networking',`
- corenet_all_recvfrom_unlabeled($1_t)
- corenet_all_recvfrom_netlabel($1_t)
@@ -25638,7 +25721,9 @@
- corenet_udp_sendrecv_all_ports($1_t)
- corenet_tcp_connect_all_ports($1_t)
- corenet_sendrecv_all_client_packets($1_t)
--
++ allow $1 self:tcp_socket create_stream_socket_perms;
++ allow $1 self:udp_socket create_socket_perms;
+
- corenet_all_recvfrom_labeled($1_t, $1_t)
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1)
@@ -25737,7 +25822,7 @@
##############################
#
-@@ -512,111 +524,115 @@
+@@ -512,189 +524,192 @@
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -25755,26 +25840,26 @@
+ kernel_get_sysvipc_info($1_usertype)
# Find CDROM devices:
- kernel_read_device_sysctls($1_t)
+-
+- corecmd_exec_bin($1_t)
+ kernel_read_device_sysctls($1_usertype)
-- corecmd_exec_bin($1_t)
+- corenet_udp_bind_all_nodes($1_t)
+- corenet_udp_bind_generic_port($1_t)
+ corenet_udp_bind_all_nodes($1_usertype)
+ corenet_udp_bind_generic_port($1_usertype)
-- corenet_udp_bind_all_nodes($1_t)
-- corenet_udp_bind_generic_port($1_t)
+- dev_read_rand($1_t)
+- dev_write_sound($1_t)
+- dev_read_sound($1_t)
+- dev_read_sound_mixer($1_t)
+- dev_write_sound_mixer($1_t)
+ dev_read_rand($1_usertype)
+ dev_write_sound($1_usertype)
+ dev_read_sound($1_usertype)
+ dev_read_sound_mixer($1_usertype)
+ dev_write_sound_mixer($1_usertype)
-- dev_read_rand($1_t)
-- dev_write_sound($1_t)
-- dev_read_sound($1_t)
-- dev_read_sound_mixer($1_t)
-- dev_write_sound_mixer($1_t)
--
- files_exec_etc_files($1_t)
- files_search_locks($1_t)
+ files_exec_etc_files($1_usertype)
@@ -25882,46 +25967,50 @@
')
optional_policy(`
- dbus_system_bus_client($1_t)
+- dbus_system_bus_client($1_t)
++ dbus_system_bus_client($1_usertype)
optional_policy(`
-+ avahi_dbus_chat($1_t)
-+ ')
-+
-+ optional_policy(`
- bluetooth_dbus_chat($1_t)
+- bluetooth_dbus_chat($1_t)
++ avahi_dbus_chat($1_usertype)
')
optional_policy(`
- evolution_dbus_chat($1_t)
- evolution_alarm_dbus_chat($1_t)
-+ consolekit_dbus_chat($1_t)
-+ consolekit_read_log($1_t)
++ bluetooth_dbus_chat($1_usertype)
')
optional_policy(`
- cups_dbus_chat_config($1_t)
-+ evolution_dbus_chat($1_t)
-+ evolution_alarm_dbus_chat($1_t)
++ consolekit_dbus_chat($1_usertype)
++ consolekit_read_log($1_usertype)
')
optional_policy(`
-@@ -626,75 +642,75 @@
- optional_policy(`
- networkmanager_dbus_chat($1_t)
+- hal_dbus_chat($1_t)
++ evolution_dbus_chat($1_usertype)
++ evolution_alarm_dbus_chat($1_usertype)
')
-- ')
+
+ optional_policy(`
+- networkmanager_dbus_chat($1_t)
+- ')
++ hal_dbus_chat($1_usertype)
+ ')
optional_policy(`
- inetd_use_fds($1_t)
- inetd_rw_tcp_sockets($1_t)
-+ vpnc_dbus_chat($1_t)
++ networkmanager_dbus_chat($1_usertype)
')
-- optional_policy(`
+ optional_policy(`
- inn_read_config($1_t)
- inn_read_news_lib($1_t)
- inn_read_news_spool($1_t)
++ vpnc_dbus_chat($1_usertype)
++ ')
')
optional_policy(`
@@ -25969,64 +26058,64 @@
- postgresql_stream_connect($1_t)
- postgresql_tcp_connect($1_t)
+ postgresql_stream_connect($1_usertype)
++ ')
')
- ')
-
- optional_policy(`
-- resmgr_stream_connect($1_t)
++
++ optional_policy(`
+ # to allow monitoring of pcmcia status
+ pcmcia_read_pid($1_usertype)
')
optional_policy(`
-- rpc_dontaudit_getattr_exports($1_t)
-- rpc_manage_nfs_rw_content($1_t)
+- resmgr_stream_connect($1_t)
+ pcscd_read_pub_files($1_usertype)
+ pcscd_stream_connect($1_usertype)
')
optional_policy(`
-- samba_stream_connect_winbind($1_t)
+- rpc_dontaudit_getattr_exports($1_t)
+- rpc_manage_nfs_rw_content($1_t)
+ resmgr_stream_connect($1_usertype)
')
optional_policy(`
-- slrnpull_search_spool($1_t)
+- samba_stream_connect_winbind($1_t)
+ rpc_dontaudit_getattr_exports($1_usertype)
+ rpc_manage_nfs_rw_content($1_usertype)
')
optional_policy(`
-- usernetctl_run($1_t,$1_r)
+- slrnpull_search_spool($1_t)
+ samba_stream_connect_winbind($1_usertype)
')
-+
-+ optional_policy(`
+
+ optional_policy(`
+- usernetctl_run($1_t,$1_r)
+ slrnpull_search_spool($1_usertype)
-+ ')
+ ')
+
')
#######################################
-@@ -722,15 +738,27 @@
+@@ -722,15 +737,27 @@
userdom_base_user_template($1)
- userdom_manage_home_role($1_r, $1_t)
+ userdom_change_password_template($1)
++
++ userdom_manage_home_role($1_r, $1_usertype)
- userdom_manage_tmp_role($1_r, $1_t)
- userdom_manage_tmpfs_role($1_r, $1_t)
-+ userdom_manage_home_role($1_r, $1_usertype)
++ userdom_manage_tmp_role($1_r, $1_usertype)
++ userdom_manage_tmpfs_role($1_r, $1_usertype)
- userdom_exec_user_tmp_files($1_t)
- userdom_exec_user_home_content_files($1_t)
-+ userdom_manage_tmp_role($1_r, $1_usertype)
-+ userdom_manage_tmpfs_role($1_r, $1_usertype)
++ gen_tunable(allow_$1_exec_content, true)
- userdom_change_password_template($1)
-+ gen_tunable(allow_$1_exec_content, true)
-+
+ tunable_policy(`allow_$1_exec_content',`
+ userdom_exec_user_tmp_files($1_usertype)
+ userdom_exec_user_home_content_files($1_usertype)
@@ -26042,7 +26131,7 @@
##############################
#
-@@ -746,70 +774,72 @@
+@@ -746,70 +773,72 @@
allow $1_t self:context contains;
@@ -26148,7 +26237,7 @@
')
')
-@@ -846,6 +876,26 @@
+@@ -846,6 +875,27 @@
# Local policy
#
@@ -26164,11 +26253,12 @@
+ dbus_system_bus_client($1_t)
+
+ optional_policy(`
-+ consolekit_dbus_chat($1_t)
++ consolekit_dbus_chat($1_usertype)
+ ')
++
+ optional_policy(`
-+ cups_dbus_chat($1_t)
-+ cups_dbus_chat_config($1_t)
++ cups_dbus_chat($1_usertype)
++ cups_dbus_chat_config($1_usertype)
+ ')
+ ')
+
@@ -26184,12 +26274,14 @@
##############################
#
-@@ -884,14 +934,16 @@
+@@ -884,14 +934,18 @@
#
auth_role($1_r, $1_t)
- auth_search_pam_console_data($1_t)
+ auth_search_pam_console_data($1_usertype)
++
++ xserver_role($1_r, $1_t)
- dev_read_sound($1_t)
- dev_write_sound($1_t)
@@ -26206,7 +26298,7 @@
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -899,28 +951,19 @@
+@@ -899,28 +953,24 @@
selinux_get_enforce_mode($1_t)
optional_policy(`
@@ -26226,20 +26318,22 @@
optional_policy(`
- cups_dbus_chat($1_t)
- ')
-+ openoffice_role_template($1, $1_r, $1_usertype)
++ gnome_manage_config($1_usertype)
++ gnome_manage_gconf_home_files($1_usertype)
')
optional_policy(`
- java_role($1_r, $1_t)
-- ')
--
-- optional_policy(`
++ openoffice_role_template($1, $1_r, $1_usertype)
+ ')
+
+ optional_policy(`
- setroubleshoot_dontaudit_stream_connect($1_t)
+ polkit_role($1_r, $1_usertype)
')
')
-@@ -931,8 +974,7 @@
+@@ -931,8 +981,7 @@
## </summary>
## <desc>
## <p>
@@ -26249,7 +26343,7 @@
## </p>
## <p>
## This template creates a user domain, types, and
-@@ -954,8 +996,8 @@
+@@ -954,8 +1003,8 @@
# Declarations
#
@@ -26259,7 +26353,7 @@
userdom_common_user_template($1)
##############################
-@@ -964,11 +1006,10 @@
+@@ -964,11 +1013,10 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -26272,7 +26366,7 @@
# cjp: why?
files_read_kernel_symbol_table($1_t)
-@@ -986,36 +1027,37 @@
+@@ -986,36 +1034,37 @@
')
')
@@ -26323,7 +26417,7 @@
')
')
-@@ -1050,7 +1092,7 @@
+@@ -1050,7 +1099,7 @@
#
template(`userdom_admin_user_template',`
gen_require(`
@@ -26332,7 +26426,7 @@
')
##############################
-@@ -1059,8 +1101,7 @@
+@@ -1059,8 +1108,7 @@
#
# Inherit rules for ordinary users.
@@ -26342,7 +26436,7 @@
domain_obj_id_change_exemption($1_t)
role system_r types $1_t;
-@@ -1083,7 +1124,8 @@
+@@ -1083,7 +1131,8 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -26352,7 +26446,7 @@
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1106,8 +1148,6 @@
+@@ -1106,8 +1155,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -26361,7 +26455,7 @@
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1162,20 +1202,6 @@
+@@ -1162,20 +1209,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -26382,7 +26476,7 @@
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1221,6 +1247,7 @@
+@@ -1221,6 +1254,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -26390,7 +26484,7 @@
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1291,6 +1318,8 @@
+@@ -1291,6 +1325,8 @@
allow $1 user_home_t:filesystem associate;
files_type($1)
ubac_constrained($1)
@@ -26399,7 +26493,7 @@
')
########################################
-@@ -1387,7 +1416,7 @@
+@@ -1387,7 +1423,7 @@
########################################
## <summary>
@@ -26408,7 +26502,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -1420,6 +1449,14 @@
+@@ -1420,6 +1456,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -26423,7 +26517,7 @@
')
########################################
-@@ -1435,9 +1472,11 @@
+@@ -1435,9 +1479,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -26435,7 +26529,7 @@
')
########################################
-@@ -1494,6 +1533,25 @@
+@@ -1494,6 +1540,25 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -26461,7 +26555,7 @@
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1547,9 +1605,9 @@
+@@ -1547,9 +1612,9 @@
type user_home_dir_t, user_home_t;
')
@@ -26473,7 +26567,7 @@
')
########################################
-@@ -1568,6 +1626,8 @@
+@@ -1568,6 +1633,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -26482,7 +26576,7 @@
')
########################################
-@@ -1741,6 +1801,62 @@
+@@ -1741,6 +1808,62 @@
########################################
## <summary>
@@ -26545,7 +26639,7 @@
## Execute user home files.
## </summary>
## <param name="domain">
-@@ -1757,14 +1873,6 @@
+@@ -1757,14 +1880,6 @@
files_search_home($1)
exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
@@ -26560,7 +26654,7 @@
')
########################################
-@@ -1787,6 +1895,46 @@
+@@ -1787,6 +1902,46 @@
########################################
## <summary>
@@ -26607,7 +26701,7 @@
## Create, read, write, and delete files
## in a user home subdirectory.
## </summary>
-@@ -2819,6 +2967,24 @@
+@@ -2819,6 +2974,24 @@
########################################
## <summary>
@@ -26632,7 +26726,7 @@
## Do not audit attempts to use user ttys.
## </summary>
## <param name="domain">
-@@ -2965,6 +3131,24 @@
+@@ -2965,6 +3138,24 @@
########################################
## <summary>
@@ -26657,7 +26751,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -2981,3 +3165,245 @@
+@@ -2981,3 +3172,245 @@
allow $1 userdomain:dbus send_msg;
')
@@ -26766,7 +26860,7 @@
+ ')
+
+ optional_policy(`
-+ rpm_dbus_chat($1_t)
++ rpm_dbus_chat($1_usertype)
+ ')
+
+ optional_policy(`
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.749
retrieving revision 1.750
diff -u -r1.749 -r1.750
--- selinux-policy.spec 3 Dec 2008 23:40:18 -0000 1.749
+++ selinux-policy.spec 4 Dec 2008 18:45:06 -0000 1.750
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.1
-Release: 4%{?dist}
+Release: 5%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -87,8 +87,8 @@
/usr/bin/sepolgen-ifgen -i %{buildroot}%{_usr}/share/selinux/devel/include -o /dev/null
%define setupCmds() \
-make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 bare \
-make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 conf \
+make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 bare \
+make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 conf \
cp -f $RPM_SOURCE_DIR/modules-%1.conf ./policy/modules.conf \
cp -f $RPM_SOURCE_DIR/booleans-%1.conf ./policy/booleans.conf \
@@ -96,10 +96,10 @@
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp.bz2 ", $1 }' %{_sourcedir}/modules-%{1}.conf )
%define installCmds() \
-make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 base.pp \
-make validate UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 modules \
-make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 install \
-make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 install-appconfig \
+make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 base.pp \
+make validate UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 modules \
+make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 install \
+make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 install-appconfig \
#%{__cp} *.pp %{buildroot}/%{_usr}/share/selinux/%1/ \
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/policy \
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active \
@@ -234,7 +234,7 @@
%installCmds olpc mcs n y allow
%endif
-make UNK_PERMS=allow NAME=targeted TYPE=targeted-mcs DISTRO=%{distro} DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs
+make UNK_PERMS=allow NAME=targeted TYPE=targeted-mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs
mkdir %{buildroot}%{_usr}/share/selinux/devel/
mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include
install -m 755 $RPM_SOURCE_DIR/policygentool %{buildroot}%{_usr}/share/selinux/devel/
@@ -446,6 +446,9 @@
%endif
%changelog
+* Thu Dec 4 2008 Dan Walsh <dwalsh at redhat.com> 3.6.1-5
+- Allow iptables to talk to terminals
+
* Wed Dec 3 2008 Dan Walsh <dwalsh at redhat.com> 3.6.1-4
- Cleanup policy
- Previous message (by thread): rpms/lcms/devel lcms.spec,1.19,1.20
- Next message (by thread): rpms/m4ri/devel import.log, NONE, 1.1 m4ri-license-clarification.mbox, NONE, 1.1 m4ri.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list