From 547aa2a382fab5758f3c272f6140cf754f09b124 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jun 23 2008 12:20:04 +0000 Subject: - Apply unconfined_execmem_exec_t to haskell programs --- diff --git a/policy-20080509.patch b/policy-20080509.patch index e7c67e2..a1a58da 100644 --- a/policy-20080509.patch +++ b/policy-20080509.patch @@ -2904,7 +2904,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc +/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.4.2/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.4.2/policy/modules/apps/java.if 2008-06-12 23:37:51.000000000 -0400 ++++ serefpolicy-3.4.2/policy/modules/apps/java.if 2008-06-23 06:21:38.000000000 -0400 @@ -32,7 +32,7 @@ ## ## @@ -21027,7 +21027,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel +/etc/rc\.d/init\.d/prelude-lml -- gen_context(system_u:object_r:prelude_lml_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.4.2/policy/modules/services/prelude.if --- nsaserefpolicy/policy/modules/services/prelude.if 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.4.2/policy/modules/services/prelude.if 2008-06-12 23:37:52.000000000 -0400 ++++ serefpolicy-3.4.2/policy/modules/services/prelude.if 2008-06-23 08:18:26.000000000 -0400 @@ -42,7 +42,7 @@ ## ## @@ -21037,10 +21037,48 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel ## ## # -@@ -56,6 +56,24 @@ +@@ -56,6 +56,80 @@ ######################################## ## ++## Read the prelude spool files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`prelude_read_spool',` ++ gen_require(` ++ type prelude_spool_t; ++ ') ++ ++ files_search_spool($1) ++ read_files_pattern($1, prelude_spool_t, prelude_spool_t) ++') ++ ++######################################## ++## ++## Read/Write to prelude-manager spool files. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`prelude_rw_spool',` ++ gen_require(` ++ type prelude_spool_t; ++ ') ++ ++ files_search_spool($1) ++ rw_files_pattern($1, prelude_spool_t, prelude_spool_t) ++') ++ ++######################################## ++## +## Execute prelude server in the prelude domain. +## +## @@ -21059,10 +21097,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel + +######################################## +## ++## Execute prelude lml server in the prelude lml domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`prelude_lml_script_domtrans',` ++ gen_require(` ++ type prelude_lml_script_exec_t; ++ ') ++ ++ init_script_domtrans_spec($1,prelude_lml_script_exec_t) ++') ++ ++######################################## ++## ## All of the rules required to administrate ## an prelude environment ## -@@ -64,6 +82,16 @@ +@@ -64,6 +138,16 @@ ## Domain allowed access. ## ## @@ -21079,15 +21135,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel ## # interface(`prelude_admin',` -@@ -71,6 +99,7 @@ +@@ -71,6 +155,11 @@ type prelude_t, prelude_spool_t; type prelude_var_run_t, prelude_var_lib_t; type prelude_audisp_t, prelude_audisp_var_run_t; + type prelude_script_exec_t; ++ ++ type prelude_lml_t, prelude_lml_tmp_t; ++ type prelude_lml_var_run_t; ++ type prelude_lml_script_exec_t; ') allow $1 prelude_t:process { ptrace signal_perms }; -@@ -79,11 +108,14 @@ +@@ -79,11 +168,23 @@ allow $1 prelude_audisp_t:process { ptrace signal_perms }; ps_process_pattern($1, prelude_audisp_t) @@ -21096,7 +21156,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel - manage_files_pattern($1, prelude_var_lib_t, prelude_var_lib_t) - - manage_files_pattern($1, prelude_var_run_t, prelude_var_run_t) -- ++ allow $1 prelude_lml_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, prelude_lml_t) + - manage_files_pattern($1, prelude_audisp_var_run_t, prelude_audisp_var_run_t) + # Allow prelude_t to restart the apache service + prelude_script_domtrans($1) @@ -21104,14 +21166,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel + role_transition $2 prelude_script_exec_t system_r; + allow $2 system_r; + ++ # Allow prelude_t to restart the apache service ++ prelude_lml_script_domtrans($1) ++ role_transition $2 prelude_lml_script_exec_t system_r; ++ + manage_all_pattern($1, prelude_spool_t) + manage_all_pattern($1, prelude_var_lib_t) + manage_all_pattern($1, prelude_var_run_t) + manage_all_pattern($1, prelude_audisp_var_run_t) ++ manage_all_pattern($1, prelude_lml_tmp_t) ++ manage_all_pattern($1, prelude_lml_var_run_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.4.2/policy/modules/services/prelude.te --- nsaserefpolicy/policy/modules/services/prelude.te 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.4.2/policy/modules/services/prelude.te 2008-06-22 07:53:36.000000000 -0400 ++++ serefpolicy-3.4.2/policy/modules/services/prelude.te 2008-06-23 08:09:53.000000000 -0400 @@ -19,12 +19,31 @@ type prelude_var_lib_t; files_type(prelude_var_lib_t) @@ -24165,11 +24233,135 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp fs_getattr_all_dirs(snmpd_t) fs_getattr_all_fs(snmpd_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.fc serefpolicy-3.4.2/policy/modules/services/snort.fc +--- nsaserefpolicy/policy/modules/services/snort.fc 2008-06-12 23:25:05.000000000 -0400 ++++ serefpolicy-3.4.2/policy/modules/services/snort.fc 2008-06-23 07:53:28.000000000 -0400 +@@ -1,6 +1,10 @@ ++/usr/s?bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0) ++/usr/sbin/snort-plain -- gen_context(system_u:object_r:snort_exec_t,s0) + +-/etc/snort(/.*)? gen_context(system_u:object_r:snort_etc_t,s0) ++/etc/snort(/.*)? gen_context(system_u:object_r:snort_etc_t,s0) + +-/usr/s?bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0) ++/var/run/snort.* -- gen_context(system_u:object_r:snort_var_run_t,s0) + +-/var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0) ++/var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0) ++ ++/etc/rc\.d/init\.d/snortd -- gen_context(system_u:object_r:snort_script_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.if serefpolicy-3.4.2/policy/modules/services/snort.if +--- nsaserefpolicy/policy/modules/services/snort.if 2008-06-12 23:25:05.000000000 -0400 ++++ serefpolicy-3.4.2/policy/modules/services/snort.if 2008-06-23 07:54:05.000000000 -0400 +@@ -1 +1,95 @@ +-## Snort network intrusion detection system ++## SELinux policy for Snort IDS ++## ++##

++## Applies SELinux security to Snort IDS ++##

++## ++ ++######################################## ++## ++## Execute a domain transition to run snort. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`snort_domtrans',` ++ gen_require(` ++ type snort_t, snort_exec_t; ++ ') ++ ++ domtrans_pattern($1, snort_exec_t, snort_t) ++') ++ ++######################################## ++## ++## Execute snort IDS in the snort domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`snort_script_domtrans',` ++ gen_require(` ++ type snort_script_exec_t; ++ ') ++ ++ init_script_domtrans_spec($1, snort_script_exec_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an snort environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the syslog domain. ++## ++## ++## ++## ++## The type of the user terminal. ++## ++## ++## ++# ++interface(`snort_admin',` ++ gen_require(` ++ type snort_t, snort_var_run_t, snort_script_exec_t, snort_etc_t, snort_log_t; ++ ') ++ ++ allow $1 snort_t:process { ptrace signal_perms getattr }; ++ read_files_pattern($1, snort_t, snort_t) ++ ++ manage_all_pattern($1, snort_etc_t) ++ manage_all_pattern($1, snort_var_run_t) ++ manage_all_pattern($1, snort_log_t) ++') ++ ++######################################## ++## ++## Signal the snort domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`snort_signal',` ++ gen_require(` ++ type snort_t; ++ ') ++ ++ allow $1 snort_t:process signal; ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.4.2/policy/modules/services/snort.te --- nsaserefpolicy/policy/modules/services/snort.te 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.4.2/policy/modules/services/snort.te 2008-06-12 23:37:51.000000000 -0400 -@@ -11,7 +11,7 @@ - init_daemon_domain(snort_t,snort_exec_t) ++++ serefpolicy-3.4.2/policy/modules/services/snort.te 2008-06-23 08:17:03.000000000 -0400 +@@ -8,10 +8,13 @@ + + type snort_t; + type snort_exec_t; +-init_daemon_domain(snort_t,snort_exec_t) ++init_daemon_domain(snort_t, snort_exec_t) ++ ++type snort_script_exec_t; ++init_script_type(snort_script_exec_t) type snort_etc_t; -files_type(snort_etc_t) @@ -24177,6 +24369,38 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snor type snort_log_t; logging_log_file(snort_log_t) +@@ -65,8 +68,11 @@ + corenet_raw_sendrecv_all_nodes(snort_t) + corenet_tcp_sendrecv_all_ports(snort_t) + corenet_udp_sendrecv_all_ports(snort_t) ++corenet_tcp_connect_prelude_port(snort_t) + + dev_read_sysfs(snort_t) ++dev_read_rand(snort_t) ++dev_read_urand(snort_t) + + domain_use_interactive_fds(snort_t) + +@@ -79,6 +85,8 @@ + libs_use_ld_so(snort_t) + libs_use_shared_libs(snort_t) + ++init_read_utmp(snort_t) ++ + logging_send_syslog_msg(snort_t) + + miscfiles_read_localization(snort_t) +@@ -90,6 +98,10 @@ + sysadm_dontaudit_search_home_dirs(snort_t) + + optional_policy(` ++ prelude_rw_spool(snort_t) ++') ++ ++optional_policy(` + seutil_sigchld_newrole(snort_t) + ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.fc serefpolicy-3.4.2/policy/modules/services/soundserver.fc --- nsaserefpolicy/policy/modules/services/soundserver.fc 2008-06-12 23:25:05.000000000 -0400 +++ serefpolicy-3.4.2/policy/modules/services/soundserver.fc 2008-06-12 23:37:51.000000000 -0400 @@ -26115,7 +26339,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.4.2/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.4.2/policy/modules/services/xserver.if 2008-06-12 23:37:52.000000000 -0400 ++++ serefpolicy-3.4.2/policy/modules/services/xserver.if 2008-06-23 07:38:27.000000000 -0400 @@ -16,7 +16,8 @@ gen_require(` type xkb_var_lib_t, xserver_exec_t, xserver_log_t; @@ -26282,7 +26506,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser userdom_search_user_home_dirs($1,$1_xserver_t) userdom_use_user_ttys($1,$1_xserver_t) userdom_setattr_user_ttys($1,$1_xserver_t) -@@ -360,13 +369,6 @@ +@@ -355,18 +364,12 @@ + + xserver_use_user_fonts($1,$1_xserver_t) + xserver_rw_xdm_tmp_files($1_xauth_t) ++ xserver_read_xdm_xserver_tmp_files($2) + + optional_policy(` userhelper_search_config($1_xserver_t) ') @@ -26296,7 +26526,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ############################## # # $1_xauth_t Local policy -@@ -375,12 +377,12 @@ +@@ -375,12 +378,12 @@ allow $1_xauth_t self:process signal; allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms; @@ -26314,7 +26544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser domtrans_pattern($2, xauth_exec_t, $1_xauth_t) -@@ -389,11 +391,11 @@ +@@ -389,11 +392,11 @@ # allow ps to show xauth ps_process_pattern($2,$1_xauth_t) @@ -26330,7 +26560,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser domain_use_interactive_fds($1_xauth_t) -@@ -435,16 +437,16 @@ +@@ -435,16 +438,16 @@ domtrans_pattern($2, iceauth_exec_t, $1_iceauth_t) @@ -26352,7 +26582,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser fs_search_auto_mountpoints($1_iceauth_t) -@@ -467,34 +469,12 @@ +@@ -467,34 +470,12 @@ # # Device rules @@ -26389,7 +26619,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # xrdb X11:ChangeProperty prop=RESOURCE_MANAGER allow $2 info_xproperty_t:x_property { create write append }; -@@ -610,7 +590,7 @@ +@@ -610,7 +591,7 @@ # refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.') gen_require(` type xdm_t, xdm_tmp_t; @@ -26398,7 +26628,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') allow $2 self:shm create_shm_perms; -@@ -618,8 +598,8 @@ +@@ -618,8 +599,8 @@ allow $2 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file @@ -26409,7 +26639,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; -@@ -643,13 +623,175 @@ +@@ -643,13 +624,175 @@ xserver_read_xdm_tmp_files($2) @@ -26589,7 +26819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ####################################### ## ## Interface to provide X object permissions on a given X server to -@@ -676,7 +818,7 @@ +@@ -676,7 +819,7 @@ # template(`xserver_common_x_domain_template',` gen_require(` @@ -26598,7 +26828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser type xproperty_t, info_xproperty_t, clipboard_xproperty_t; type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t; type xevent_t, client_xevent_t; -@@ -685,7 +827,6 @@ +@@ -685,7 +828,6 @@ attribute x_server_domain, x_domain; attribute xproperty_type; attribute xevent_type, xextension_type; @@ -26606,7 +26836,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser class x_drawable all_x_drawable_perms; class x_screen all_x_screen_perms; -@@ -709,20 +850,22 @@ +@@ -709,20 +851,22 @@ # Declarations # @@ -26632,7 +26862,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ############################## # # Local Policy -@@ -740,7 +883,7 @@ +@@ -740,7 +884,7 @@ allow $3 x_server_domain:x_server getattr; # everyone can do override-redirect windows. # this could be used to spoof labels @@ -26641,7 +26871,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # everyone can receive management events on the root window # allows to know when new windows appear, among other things allow $3 manage_xevent_t:x_event receive; -@@ -749,7 +892,7 @@ +@@ -749,7 +893,7 @@ # can read server-owned resources allow $3 x_server_domain:x_resource read; # can mess with own clients @@ -26650,7 +26880,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # X Protocol Extensions allow $3 std_xext_t:x_extension { query use }; -@@ -758,27 +901,17 @@ +@@ -758,27 +902,17 @@ # X Properties # can read and write client properties @@ -26683,7 +26913,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # X Input # can receive own events -@@ -805,6 +938,12 @@ +@@ -805,6 +939,12 @@ allow $3 manage_xevent_t:x_synthetic_event send; allow $3 client_xevent_t:x_synthetic_event send; @@ -26696,7 +26926,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # X Selections # can use the clipboard allow $3 clipboard_xselection_t:x_selection { getattr setattr read }; -@@ -813,13 +952,15 @@ +@@ -813,13 +953,15 @@ # Other X Objects # can create and use cursors @@ -26716,7 +26946,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined($3), -@@ -879,17 +1020,17 @@ +@@ -879,17 +1021,17 @@ # template(`xserver_user_x_domain_template',` gen_require(` @@ -26741,7 +26971,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # for when /tmp/.X11-unix is created by the system allow $3 xdm_t:fd use; -@@ -916,11 +1057,9 @@ +@@ -916,11 +1058,9 @@ # X object manager xserver_common_x_domain_template($1,$2,$3) @@ -26756,7 +26986,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -952,26 +1091,43 @@ +@@ -952,26 +1092,43 @@ # template(`xserver_use_user_fonts',` gen_require(` @@ -26807,7 +27037,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Transition to a user Xauthority domain. ## ## -@@ -1005,6 +1161,73 @@ +@@ -1005,6 +1162,73 @@ ######################################## ## @@ -26881,7 +27111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Transition to a user Xauthority domain. ## ## -@@ -1030,10 +1253,10 @@ +@@ -1030,10 +1254,10 @@ # template(`xserver_user_home_dir_filetrans_user_xauth',` gen_require(` @@ -26894,7 +27124,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1219,6 +1442,25 @@ +@@ -1219,6 +1443,25 @@ ######################################## ## @@ -26920,7 +27150,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Read xdm-writable configuration files. ## ## -@@ -1273,6 +1515,7 @@ +@@ -1273,6 +1516,7 @@ files_search_tmp($1) allow $1 xdm_tmp_t:dir list_dir_perms; create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t) @@ -26928,7 +27158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1291,7 +1534,7 @@ +@@ -1291,7 +1535,7 @@ ') files_search_pids($1) @@ -26937,7 +27167,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1314,6 +1557,24 @@ +@@ -1314,6 +1558,24 @@ ######################################## ## @@ -26962,7 +27192,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Execute the X server in the XDM X server domain. ## ## -@@ -1324,15 +1585,47 @@ +@@ -1324,15 +1586,47 @@ # interface(`xserver_domtrans_xdm_xserver',` gen_require(` @@ -27011,7 +27241,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -1482,7 +1775,7 @@ +@@ -1482,7 +1776,7 @@ type xdm_xserver_tmp_t; ') @@ -27020,7 +27250,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1674,6 +1967,65 @@ +@@ -1674,6 +1968,65 @@ ######################################## ## @@ -27086,7 +27316,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain complete control over the ## display. -@@ -1686,8 +2038,87 @@ +@@ -1686,8 +2039,87 @@ # interface(`xserver_unconfined',` gen_require(` @@ -32116,8 +32346,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.4.2/policy/modules/system/unconfined.fc --- nsaserefpolicy/policy/modules/system/unconfined.fc 2008-06-12 23:25:07.000000000 -0400 -+++ serefpolicy-3.4.2/policy/modules/system/unconfined.fc 2008-06-12 23:37:52.000000000 -0400 -@@ -2,15 +2,19 @@ ++++ serefpolicy-3.4.2/policy/modules/system/unconfined.fc 2008-06-23 06:28:00.000000000 -0400 +@@ -2,15 +2,26 @@ # e.g.: # /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) # For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t @@ -32141,6 +32371,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf + +/usr/lib64/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +/usr/lib/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) ++ ++/usr/bin/haddock.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) ++/usr/bin/hasktags -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) ++/usr/bin/runghc -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) ++/usr/bin/runhaskell -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) ++/usr/libexec/ghc-[^/]+/.*bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) ++/usr/libexec/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.4.2/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2008-06-12 23:25:07.000000000 -0400 +++ serefpolicy-3.4.2/policy/modules/system/unconfined.if 2008-06-22 20:50:34.000000000 -0400 diff --git a/selinux-policy.spec b/selinux-policy.spec index 42e8b97..b917f17 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.4.2 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -375,6 +375,9 @@ exit 0 %endif %changelog +* Mon Jun 23 2008 Dan Walsh 3.4.2-6 +- Apply unconfined_execmem_exec_t to haskell programs + * Sun Jun 22 2008 Dan Walsh 3.4.2-5 - Fix prelude file context