rpms/selinux-policy/devel policy-20071130.patch,1.97,1.98

Daniel J Walsh (dwalsh) fedora-extras-commits at redhat.com
Wed Mar 12 02:21:21 UTC 2008


Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv14181

Modified Files:
	policy-20071130.patch 
Log Message:
* Tue Mar 11 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-15
- Allow init to transition to initrc_t on shell exec.
- Fix init to be able to sendto init_t.
- Allow syslog to connect to mysql
- Allow lvm to manage its own fifo_files
- Allow bugzilla to use ldap
- More mls fixes 


policy-20071130.patch:

Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.97
retrieving revision 1.98
diff -u -r1.97 -r1.98
--- policy-20071130.patch	12 Mar 2008 01:10:44 -0000	1.97
+++ policy-20071130.patch	12 Mar 2008 02:21:18 -0000	1.98
@@ -23429,7 +23429,7 @@
  /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.if	2008-03-11 19:56:07.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/xserver.if	2008-03-11 22:20:09.000000000 -0400
 @@ -12,9 +12,15 @@
  ##	</summary>
  ## </param>
@@ -23896,7 +23896,7 @@
  
  	# for when /tmp/.X11-unix is created by the system
  	allow $2 xdm_t:fd use;
-@@ -542,25 +543,541 @@
+@@ -542,25 +543,533 @@
  	allow $2 xdm_tmp_t:sock_file { read write };
  	dontaudit $2 xdm_t:tcp_socket { read write };
  
@@ -24023,6 +24023,7 @@
 +		type  screensaver_xext_t, unknown_xext_t, x_rootscreen_t;
 +		type disallowed_xext_t;
 +		type output_xext_t;
++		type accelgraphics_xext_t;
 +
 +		attribute x_server_domain, x_domain;
 +		attribute xproperty_type;
@@ -24069,12 +24070,6 @@
 +		allow $1 { x_domain x_server_domain }:x_device read;
 +	')
 +
-+	# everyone can grab the server
-+	# everyone does it, it is basically a free DOS attack
-+	allow $1 x_server_domain:x_server grab;
-+	# everyone can get the font path, etc.
-+	# this could leak out sensitive information
-+	allow $1 x_server_domain:x_server { getattr manage };
 +	# everyone can do override-redirect windows.
 +	# this could be used to spoof labels
 +	allow $1 $1:x_drawable override;
@@ -24082,24 +24077,28 @@
 +	# allows to know when new windows appear, among other things
 +	allow $1 manage_xevent_t:x_event receive;
 +
-+	allow $1 accelgraphics_xext_t:x_extension use;
++	allow $1 xextension_type:x_extension use;
 +
 +	# X Server
 +	# can read server-owned resources
 +	allow $1 x_server_domain:x_resource read;
++	# everyone can grab the server
++	# everyone does it, it is basically a free DOS attack
++	allow $1 x_server_domain:x_server grab;
++	# everyone can get the font path, etc.
++	# this could leak out sensitive information
++	allow $1 x_server_domain:x_server { getattr manage };
++
 +	# can mess with own clients
 +	allow $1 $1:x_client { manage destroy };
 +
 +	# X Protocol Extensions
-+	allow $1 std_xext_t:x_extension { use };
-+	allow $1 shmem_xext_t:x_extension { use };
 +	allow $1 xextension_type:x_extension query;
 +
 +	# X Properties
 +	# can read and write client properties
 +	allow $1 $1:x_property { create destroy read write };
 +	allow $1 default_xproperty_t:x_property { read write destroy create };
-+	allow $1 output_xext_t:x_extension { use };
 +	allow $1 output_xext_t:x_property read;
 +	allow $1 xserver_unconfined_type:x_property read;
 +
@@ -24163,16 +24162,9 @@
 +	# can read and write own objects
 +	allow $1 $1:x_resource { read write };
 +
-+	allow $1 screensaver_xext_t:x_extension { use };
-+	allow $1 unknown_xext_t:x_extension { use };
-+
 +	allow $1 x_rootscreen_t:x_screen { saver_setattr saver_getattr getattr setattr };
 +
-+        allow $1 disallowed_xext_t:x_extension { use };
 +
-+	allow $1 xdm_xserver_t:x_device { getattr getfocus use setattr };
-+	allow $1 xdm_xserver_t:x_resource read;
-+	allow $1 xdm_xserver_t:x_server grab;
 +')
 +
 +#######################################
@@ -24444,7 +24436,7 @@
  	')
  ')
  
-@@ -593,26 +1110,44 @@
+@@ -593,26 +1102,44 @@
  #
  template(`xserver_use_user_fonts',`
  	gen_require(`
@@ -24496,7 +24488,7 @@
  ##	Transition to a user Xauthority domain.
  ## </summary>
  ## <desc>
-@@ -638,10 +1173,77 @@
+@@ -638,10 +1165,77 @@
  #
  template(`xserver_domtrans_user_xauth',`
  	gen_require(`
@@ -24576,7 +24568,7 @@
  ')
  
  ########################################
-@@ -671,10 +1273,10 @@
+@@ -671,10 +1265,10 @@
  #
  template(`xserver_user_home_dir_filetrans_user_xauth',`
  	gen_require(`
@@ -24589,7 +24581,7 @@
  ')
  
  ########################################
-@@ -760,7 +1362,7 @@
+@@ -760,7 +1354,7 @@
  		type xconsole_device_t;
  	')
  
@@ -24598,7 +24590,7 @@
  ')
  
  ########################################
-@@ -860,6 +1462,25 @@
+@@ -860,6 +1454,25 @@
  
  ########################################
  ## <summary>
@@ -24624,7 +24616,7 @@
  ##	Read xdm-writable configuration files.
  ## </summary>
  ## <param name="domain">
-@@ -914,6 +1535,7 @@
+@@ -914,6 +1527,7 @@
  	files_search_tmp($1)
  	allow $1 xdm_tmp_t:dir list_dir_perms;
  	create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@@ -24632,7 +24624,7 @@
  ')
  
  ########################################
-@@ -955,6 +1577,24 @@
+@@ -955,6 +1569,24 @@
  
  ########################################
  ## <summary>
@@ -24657,7 +24649,7 @@
  ##	Execute the X server in the XDM X server domain.
  ## </summary>
  ## <param name="domain">
-@@ -965,15 +1605,47 @@
+@@ -965,15 +1597,47 @@
  #
  interface(`xserver_domtrans_xdm_xserver',`
  	gen_require(`
@@ -24706,7 +24698,7 @@
  ##	Make an X session script an entrypoint for the specified domain.
  ## </summary>
  ## <param name="domain">
-@@ -1123,7 +1795,7 @@
+@@ -1123,7 +1787,7 @@
  		type xdm_xserver_tmp_t;
  	')
  
@@ -24715,7 +24707,7 @@
  ')
  
  ########################################
-@@ -1312,3 +1984,83 @@
+@@ -1312,3 +1976,83 @@
  	files_search_tmp($1)
  	stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
  ')




More information about the fedora-extras-commits mailing list