diff --git a/policy-F12.patch b/policy-F12.patch index 66d4b73..9fd17bd 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -692,10 +692,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_search_auto_mountpoints(readahead_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.28/policy/modules/admin/rpm.fc --- nsaserefpolicy/policy/modules/admin/rpm.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.28/policy/modules/admin/rpm.fc 2009-08-21 18:56:06.000000000 -0400 -@@ -1,17 +1,16 @@ ++++ serefpolicy-3.6.28/policy/modules/admin/rpm.fc 2009-08-26 08:40:46.000000000 -0400 +@@ -1,17 +1,17 @@ /bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/debuginfo-install -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -715,7 +716,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/share/yumex/yumex -- gen_context(system_u:object_r:rpm_exec_t,s0) ifdef(`distro_redhat', ` -@@ -21,15 +20,22 @@ +@@ -21,15 +21,22 @@ /usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -7084,8 +7085,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.28/policy/modules/roles/unconfineduser.fc --- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.28/policy/modules/roles/unconfineduser.fc 2009-08-21 18:56:07.000000000 -0400 -@@ -0,0 +1,37 @@ ++++ serefpolicy-3.6.28/policy/modules/roles/unconfineduser.fc 2009-08-26 08:51:41.000000000 -0400 +@@ -0,0 +1,36 @@ +# Add programs here which should not be confined by SELinux +# e.g.: +# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) @@ -7122,7 +7123,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:execmem_exec_t,s0) + +/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) -+ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.6.28/policy/modules/roles/unconfineduser.if --- nsaserefpolicy/policy/modules/roles/unconfineduser.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.28/policy/modules/roles/unconfineduser.if 2009-08-21 18:56:07.000000000 -0400 diff --git a/selinux-policy.spec b/selinux-policy.spec index b8cb1eb..ff63d14 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.28 -Release: 7%{?dist} +Release: 8%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -97,7 +97,7 @@ cp -f $RPM_SOURCE_DIR/modules-%1.conf ./policy/modules.conf \ cp -f $RPM_SOURCE_DIR/booleans-%1.conf ./policy/booleans.conf \ %define moduleList() %([ -f %{_sourcedir}/modules-%{1}.conf ] && \ -awk '$1 !~ "/^#/" && $1 != "unconfined" && $1 != "unconfineduser" && $2 == "=" && $3 == "module" { printf "%%s.pp.bz2 ", $1 }' %{_sourcedir}/modules-%{1}.conf ) +awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp.bz2 ", $1 }' %{_sourcedir}/modules-%{1}.conf ) %define installCmds() \ make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 base.pp \ @@ -310,46 +310,13 @@ SELinux Reference policy targeted base module. %saveFileContext targeted %post targeted -function get_unconfined() { -# We only want to upgrade unconfined.pp and unconfineduser if they are -# currently installed. If you have a version 3.0.0 or less of unconfined -# installed, you will need to install both, since unconfineduser did not exist -# prior to this. -eval `semodule -l | while read package version; do - case $package in - "unconfineduser") - echo "unconfineduser=$version" - ;; - "unconfined") - echo "unconfined=$version" - ;; - esac -done` - -if [ -z "$unconfineduser" -a -n "$unconfined" ]; then - f1=`echo $unconfined | cut -d. -f 1` - if [ $f1 -lt 3 ]; then - unconfineduser="1" - else - if [ $f1 -eq 3 ]; then - f2=`echo $unconfined | cut -s -d. -f2` - f3=`echo $unconfined | cut -s -d. -f3` - if [ \( -z "$f2" \) -o \( \( "$f2" -eq 0 \) -a \( -z "f3" -o "$f3" -eq 0 \) \) ]; then - unconfineduser="1" - fi - fi - fi -fi -echo ${unconfined:+unconfined.pp.bz2} ${unconfineduser:+unconfineduser.pp.bz2} -} - if [ $1 -eq 1 ]; then - packages="%{expand:%%moduleList targeted} unconfined.pp.bz2 unconfineduser.pp.bz2" + packages="%{expand:%%moduleList targeted}" %loadpolicy targeted $packages restorecon -R /root /var/log /var/run 2> /dev/null else semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid -r polkit 2>/dev/null - packages="%{expand:%%moduleList targeted} `get_unconfined`" + packages="%{expand:%%moduleList targeted}" %loadpolicy targeted $packages %relabel targeted fi @@ -394,8 +361,7 @@ SELinux Reference policy minimum base module. %saveFileContext minimum %post minimum -packages="unconfined.pp.bz2 unconfineduser.pp.bz2" -%loadpolicy minimum $packages +%loadpolicy minimum if [ $1 -eq 1 ]; then semanage -S minimum -i - << __eof login -m -s unconfined_u -r s0-s0:c0.c1023 __default__ @@ -428,7 +394,7 @@ SELinux Reference policy olpc base module. %saveFileContext olpc %post olpc -packages="%{expand:%%moduleList olpc} unconfined.pp.bz2 unconfineduser.pp.bz2" +packages="%{expand:%%moduleList olpc}" %loadpolicy olpc $packages if [ $1 -ne 1 ]; then @@ -475,6 +441,9 @@ exit 0 %endif %changelog +* Wed Aug 26 2009 Dan Walsh 3.6.28-8 +- Add back in unconfined.pp and unconfineduser.pp + * Tue Aug 25 2009 Dan Walsh 3.6.28-7 - Fixes for cdrecord, mdadm, and others @@ -1364,7 +1333,6 @@ directory) - Fix Makefile.devel to build mls modules - Fix qemu to be more specific on labeling - * Tue Feb 26 2008 Dan Walsh 3.3.1-1 - Update to upstream fixes