From 7c8c93d3f8c235408608f885e8d4683d475a9a85 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Feb 27 2008 02:34:01 +0000 Subject: - Add jkubin changes for nx and groupadd - Add isns port --- diff --git a/policy-20070703.patch b/policy-20070703.patch index 9ad3d5e..0ac4e3e 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -4891,7 +4891,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.0.8/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/domain.te 2008-02-26 17:53:57.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/kernel/domain.te 2008-02-26 21:27:24.000000000 -0500 @@ -6,6 +6,22 @@ # Declarations # @@ -5002,34 +5002,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.0.8/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-22 13:21:41.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/files.if 2008-02-26 17:53:00.000000000 -0500 -@@ -306,6 +306,25 @@ - - ######################################## - ## -+## Do not audit attempts to get the attributes -+## of all directories. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_getattr_all_dirs',` -+ gen_require(` -+ attribute file_type; -+ ') -+ -+ allow $1 file_type:dir getattr; -+') -+ -+######################################## -+## - ## List all non-security directories. - ## - ## -@@ -343,8 +362,7 @@ ++++ serefpolicy-3.0.8/policy/modules/kernel/files.if 2008-02-26 21:27:03.000000000 -0500 +@@ -343,8 +343,7 @@ ######################################## ## @@ -5039,7 +5013,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## ## ## -@@ -352,12 +370,29 @@ +@@ -352,12 +351,29 @@ ## ## # @@ -5070,7 +5044,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. allow $1 { file_type -security_file_type }:file mounton; ') -@@ -376,7 +411,7 @@ +@@ -376,7 +392,7 @@ attribute file_type, security_file_type; ') @@ -5079,7 +5053,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -656,44 +691,6 @@ +@@ -656,44 +672,6 @@ ######################################## ## @@ -5124,7 +5098,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Read all symbolic links. ## ## -@@ -885,6 +882,8 @@ +@@ -885,6 +863,8 @@ attribute file_type; ') @@ -5133,7 +5107,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. allow $1 { file_type $2 }:dir list_dir_perms; relabel_dirs_pattern($1,{ file_type $2 },{ file_type $2 }) relabel_files_pattern($1,{ file_type $2 },{ file_type $2 }) -@@ -1106,6 +1105,24 @@ +@@ -1106,6 +1086,24 @@ ######################################## ## @@ -5158,7 +5132,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## List the contents of the root directory. ## ## -@@ -1192,6 +1209,25 @@ +@@ -1192,6 +1190,25 @@ ######################################## ## @@ -5184,7 +5158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Do not audit attempts to read or write ## character device nodes in the root directory. ## -@@ -1229,6 +1265,24 @@ +@@ -1229,6 +1246,24 @@ ######################################## ## @@ -5209,7 +5183,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Unmount a rootfs filesystem. ## ## -@@ -2023,6 +2077,31 @@ +@@ -2023,6 +2058,31 @@ ######################################## ## @@ -5241,7 +5215,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Read files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -3107,6 +3186,24 @@ +@@ -3107,6 +3167,24 @@ ######################################## ## @@ -5266,7 +5240,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Manage temporary files and directories in /tmp. ## ## -@@ -3198,6 +3295,44 @@ +@@ -3198,6 +3276,44 @@ ######################################## ## @@ -5311,7 +5285,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Read all tmp files. ## ## -@@ -3323,6 +3458,42 @@ +@@ -3323,6 +3439,42 @@ ######################################## ## @@ -5354,7 +5328,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Get the attributes of files in /usr. ## ## -@@ -3381,7 +3552,7 @@ +@@ -3381,7 +3533,7 @@ ######################################## ## @@ -5363,7 +5337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## ## ## -@@ -3389,17 +3560,17 @@ +@@ -3389,17 +3541,17 @@ ## ## # @@ -5384,7 +5358,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## ## ## -@@ -3407,12 +3578,12 @@ +@@ -3407,12 +3559,12 @@ ## ## # @@ -5399,7 +5373,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -4043,7 +4214,7 @@ +@@ -4043,7 +4195,7 @@ type var_t, var_lock_t; ') @@ -5408,7 +5382,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -4285,6 +4456,25 @@ +@@ -4285,6 +4437,25 @@ ######################################## ## @@ -5434,7 +5408,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Do not audit attempts to write to daemon runtime data files. ## ## -@@ -4560,6 +4750,8 @@ +@@ -4560,6 +4731,8 @@ # Need to give access to /selinux/member selinux_compute_member($1) @@ -5443,7 +5417,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # Need sys_admin capability for mounting allow $1 self:capability { chown fsetid sys_admin }; -@@ -4582,6 +4774,11 @@ +@@ -4582,6 +4755,11 @@ # Default type for mountpoints allow $1 poly_t:dir { create mounton }; fs_unmount_xattr_fs($1) @@ -5455,7 +5429,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -4619,3 +4816,28 @@ +@@ -4619,3 +4797,28 @@ allow $1 { file_type -security_file_type }:dir manage_dir_perms; ') @@ -14605,7 +14579,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb /var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.0.8/policy/modules/services/samba.if --- nsaserefpolicy/policy/modules/services/samba.if 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/samba.if 2008-02-26 17:24:56.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/samba.if 2008-02-26 21:22:53.000000000 -0500 @@ -63,6 +63,25 @@ ######################################## @@ -14659,7 +14633,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +## +## +# -+interface(`samba_run_net',` ++interface(`samba_run_unconfined_net',` + gen_require(` + type samba_unconfined_net_t; + ')