rpms/selinux-policy/devel policy-20071130.patch,1.97,1.98
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Wed Mar 12 02:21:21 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv14181
Modified Files:
policy-20071130.patch
Log Message:
* Tue Mar 11 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-15
- Allow init to transition to initrc_t on shell exec.
- Fix init to be able to sendto init_t.
- Allow syslog to connect to mysql
- Allow lvm to manage its own fifo_files
- Allow bugzilla to use ldap
- More mls fixes
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.97
retrieving revision 1.98
diff -u -r1.97 -r1.98
--- policy-20071130.patch 12 Mar 2008 01:10:44 -0000 1.97
+++ policy-20071130.patch 12 Mar 2008 02:21:18 -0000 1.98
@@ -23429,7 +23429,7 @@
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-03-11 19:56:07.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-03-11 22:20:09.000000000 -0400
@@ -12,9 +12,15 @@
## </summary>
## </param>
@@ -23896,7 +23896,7 @@
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
-@@ -542,25 +543,541 @@
+@@ -542,25 +543,533 @@
allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
@@ -24023,6 +24023,7 @@
+ type screensaver_xext_t, unknown_xext_t, x_rootscreen_t;
+ type disallowed_xext_t;
+ type output_xext_t;
++ type accelgraphics_xext_t;
+
+ attribute x_server_domain, x_domain;
+ attribute xproperty_type;
@@ -24069,12 +24070,6 @@
+ allow $1 { x_domain x_server_domain }:x_device read;
+ ')
+
-+ # everyone can grab the server
-+ # everyone does it, it is basically a free DOS attack
-+ allow $1 x_server_domain:x_server grab;
-+ # everyone can get the font path, etc.
-+ # this could leak out sensitive information
-+ allow $1 x_server_domain:x_server { getattr manage };
+ # everyone can do override-redirect windows.
+ # this could be used to spoof labels
+ allow $1 $1:x_drawable override;
@@ -24082,24 +24077,28 @@
+ # allows to know when new windows appear, among other things
+ allow $1 manage_xevent_t:x_event receive;
+
-+ allow $1 accelgraphics_xext_t:x_extension use;
++ allow $1 xextension_type:x_extension use;
+
+ # X Server
+ # can read server-owned resources
+ allow $1 x_server_domain:x_resource read;
++ # everyone can grab the server
++ # everyone does it, it is basically a free DOS attack
++ allow $1 x_server_domain:x_server grab;
++ # everyone can get the font path, etc.
++ # this could leak out sensitive information
++ allow $1 x_server_domain:x_server { getattr manage };
++
+ # can mess with own clients
+ allow $1 $1:x_client { manage destroy };
+
+ # X Protocol Extensions
-+ allow $1 std_xext_t:x_extension { use };
-+ allow $1 shmem_xext_t:x_extension { use };
+ allow $1 xextension_type:x_extension query;
+
+ # X Properties
+ # can read and write client properties
+ allow $1 $1:x_property { create destroy read write };
+ allow $1 default_xproperty_t:x_property { read write destroy create };
-+ allow $1 output_xext_t:x_extension { use };
+ allow $1 output_xext_t:x_property read;
+ allow $1 xserver_unconfined_type:x_property read;
+
@@ -24163,16 +24162,9 @@
+ # can read and write own objects
+ allow $1 $1:x_resource { read write };
+
-+ allow $1 screensaver_xext_t:x_extension { use };
-+ allow $1 unknown_xext_t:x_extension { use };
-+
+ allow $1 x_rootscreen_t:x_screen { saver_setattr saver_getattr getattr setattr };
+
-+ allow $1 disallowed_xext_t:x_extension { use };
+
-+ allow $1 xdm_xserver_t:x_device { getattr getfocus use setattr };
-+ allow $1 xdm_xserver_t:x_resource read;
-+ allow $1 xdm_xserver_t:x_server grab;
+')
+
+#######################################
@@ -24444,7 +24436,7 @@
')
')
-@@ -593,26 +1110,44 @@
+@@ -593,26 +1102,44 @@
#
template(`xserver_use_user_fonts',`
gen_require(`
@@ -24496,7 +24488,7 @@
## Transition to a user Xauthority domain.
## </summary>
## <desc>
-@@ -638,10 +1173,77 @@
+@@ -638,10 +1165,77 @@
#
template(`xserver_domtrans_user_xauth',`
gen_require(`
@@ -24576,7 +24568,7 @@
')
########################################
-@@ -671,10 +1273,10 @@
+@@ -671,10 +1265,10 @@
#
template(`xserver_user_home_dir_filetrans_user_xauth',`
gen_require(`
@@ -24589,7 +24581,7 @@
')
########################################
-@@ -760,7 +1362,7 @@
+@@ -760,7 +1354,7 @@
type xconsole_device_t;
')
@@ -24598,7 +24590,7 @@
')
########################################
-@@ -860,6 +1462,25 @@
+@@ -860,6 +1454,25 @@
########################################
## <summary>
@@ -24624,7 +24616,7 @@
## Read xdm-writable configuration files.
## </summary>
## <param name="domain">
-@@ -914,6 +1535,7 @@
+@@ -914,6 +1527,7 @@
files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@@ -24632,7 +24624,7 @@
')
########################################
-@@ -955,6 +1577,24 @@
+@@ -955,6 +1569,24 @@
########################################
## <summary>
@@ -24657,7 +24649,7 @@
## Execute the X server in the XDM X server domain.
## </summary>
## <param name="domain">
-@@ -965,15 +1605,47 @@
+@@ -965,15 +1597,47 @@
#
interface(`xserver_domtrans_xdm_xserver',`
gen_require(`
@@ -24706,7 +24698,7 @@
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -1123,7 +1795,7 @@
+@@ -1123,7 +1787,7 @@
type xdm_xserver_tmp_t;
')
@@ -24715,7 +24707,7 @@
')
########################################
-@@ -1312,3 +1984,83 @@
+@@ -1312,3 +1976,83 @@
files_search_tmp($1)
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
')
More information about the fedora-extras-commits
mailing list