From 00cfff209b836375cbb5b6911dca3f7a92456607 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Nov 14 2008 16:08:52 +0000 Subject: - Allow sambagui to use nsswitch --- diff --git a/policy-20080710.patch b/policy-20080710.patch index 63bca70..45ce607 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -4148,8 +4148,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.5.13/policy/modules/apps/nsplugin.fc --- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.fc 2008-11-11 16:22:03.000000000 -0500 -@@ -0,0 +1,11 @@ ++++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.fc 2008-11-14 09:10:32.000000000 -0500 +@@ -0,0 +1,12 @@ + +/usr/bin/nspluginscan -- gen_context(system_u:object_r:nsplugin_exec_t,s0) +/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0) @@ -4161,6 +4161,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:nsplugin_home_t,s0) +HOME_DIR/\.config/totem(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) +HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) ++HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.5.13/policy/modules/apps/nsplugin.if --- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.if 2008-11-11 16:22:03.000000000 -0500 @@ -4996,11 +4997,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/cache/libvirt(/.*)? -- gen_context(system_u:object_r:qemu_cache_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.5.13/policy/modules/apps/qemu.if --- nsaserefpolicy/policy/modules/apps/qemu.if 2008-10-17 08:49:14.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/qemu.if 2008-11-11 16:22:03.000000000 -0500 -@@ -48,6 +48,91 @@ ++++ serefpolicy-3.5.13/policy/modules/apps/qemu.if 2008-11-14 10:55:17.000000000 -0500 +@@ -46,6 +46,96 @@ + qemu_domtrans($1) + role $2 types qemu_t; allow qemu_t $3:chr_file rw_file_perms; - ') - ++ ++ optional_policy(` ++ samba_run_smb(qemu_t, $2, $3) ++ ') ++') ++ +####################################### +## +## The per role template for the qemu module. @@ -5043,6 +5050,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_common_app($1, qemu_t) +') + ++ +####################################### +## +## The per role template for the qemu module. @@ -5084,12 +5092,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + domtrans_pattern($2, qemu_exec_t, qemu_t) + domtrans_pattern($2, qemu_config_exec_t, qemu_config_t) -+ ') -+ + ') + ######################################## - ## - ## Allow the domain to read state files in /proc. -@@ -68,6 +153,64 @@ +@@ -68,6 +158,64 @@ ######################################## ## @@ -5154,15 +5160,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Send a signal to qemu. ## ## -@@ -104,7 +247,71 @@ +@@ -104,114 +252,194 @@ ######################################## ## -## Execute a domain transition to run qemu unconfined. +## Execute qemu programs in the qemu domain. -+## -+## -+## + ## + ## + ## +-## Domain allowed to transition. +## Domain allowed access. +## +## @@ -5174,35 +5181,50 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +## The type of the terminal allow the PAM domain to use. -+## -+## -+# + ## + ## + # +-interface(`qemu_domtrans_unconfined',` +interface(`qemu_runas',` -+ gen_require(` + gen_require(` +- type qemu_unconfined_t, qemu_exec_t; + type qemu_t; -+ ') -+ + ') + +- domtrans_pattern($1, qemu_exec_t, qemu_unconfined_t) + qemu_domtrans($1) + allow qemu_t $3:chr_file rw_file_perms; -+') + -+######################################## -+## ++ optional_policy(` ++ samba_domtrans_smb(qemu_t) ++ ') + ') + + ######################################## + ## +-## Creates types and rules for a basic +-## qemu process domain. +## Execute qemu programs in the role. -+## + ## +-## +## -+## + ## +-## Prefix for the domain. +## The role to allow the PAM domain. -+## -+## -+# + ## + ## + # +-template(`qemu_domain_template',` +interface(`qemu_role',` + gen_require(` + type qemu_t; + ') + role $1 types qemu_t; +') -+ + +- ############################## +- # +- # Local Policy +######################################## +## +## Execute qemu unconfined programs in the role. @@ -5212,25 +5234,52 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## The role to allow the PAM domain. +## +## -+# + # +interface(`qemu_unconfined_role',` + gen_require(` + type qemu_unconfined_t; + ') + role $1 types qemu_unconfined_t; +') -+ -+ + +- type $1_t; +- domain_type($1_t) +- +- type $1_tmp_t; +- files_tmp_file($1_tmp_t) + +- ############################## +- # +- # Local Policy +######################################## +## +## Execute a domain transition to run qemu. - ## - ## - ## -@@ -122,6 +329,36 @@ ++## ++## ++## ++## Domain allowed to transition. ++## ++## + # ++interface(`qemu_domtrans_unconfined',` ++ gen_require(` ++ type qemu_unconfined_t, qemu_exec_t; ++ ') - ######################################## - ## +- allow $1_t self:capability { dac_read_search dac_override }; +- allow $1_t self:process { execstack execmem signal getsched }; +- allow $1_t self:fifo_file rw_file_perms; +- allow $1_t self:shm create_shm_perms; +- allow $1_t self:unix_stream_socket create_stream_socket_perms; +- allow $1_t self:tcp_socket create_stream_socket_perms; ++ domtrans_pattern($1, qemu_exec_t, qemu_unconfined_t) ++') + +- manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) +- manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) +- files_tmp_filetrans($1_t, $1_tmp_t, { file dir }) ++######################################## ++## +## Execute qemu programs in the qemu unconfined domain. +## +## @@ -5253,63 +5302,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + gen_require(` + type qemu_unconfined_t; + ') -+ + +- kernel_read_system_state($1_t) + qemu_domtrans_unconfined($1) + allow qemu_unconfined_t $3:chr_file rw_file_perms; +') -+ -+ -+######################################## -+## - ## Creates types and rules for a basic - ## qemu process domain. - ## -@@ -133,85 +370,32 @@ - # - template(`qemu_domain_template',` - -- ############################## -- # -- # Local Policy -- # -+ gen_require(` -+ attribute qemutype; -+ ') - -- type $1_t; -- domain_type($1_t) -+ type $1_t, qemutype; - - type $1_tmp_t; - files_tmp_file($1_tmp_t) - -- ############################## -- # -- # Local Policy -- # -+ type $1_tmpfs_t; -+ files_tmpfs_file($1_tmpfs_t) - -- allow $1_t self:capability { dac_read_search dac_override }; -- allow $1_t self:process { execstack execmem signal getsched }; -- allow $1_t self:fifo_file rw_file_perms; -- allow $1_t self:shm create_shm_perms; -- allow $1_t self:unix_stream_socket create_stream_socket_perms; -- allow $1_t self:tcp_socket create_stream_socket_perms; -+ type $1_image_t; -+ virt_image($1_image_t) -+ -+ manage_dirs_pattern($1_t, $1_image_t, $1_image_t) -+ manage_files_pattern($1_t, $1_image_t, $1_image_t) -+ read_lnk_files_pattern($1_t, $1_image_t, $1_image_t) -+ rw_blk_files_pattern($1_t, $1_image_t, $1_image_t) - manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) - manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) - files_tmp_filetrans($1_t, $1_tmp_t, { file dir }) - -- kernel_read_system_state($1_t) -- - corenet_all_recvfrom_unlabeled($1_t) - corenet_all_recvfrom_netlabel($1_t) - corenet_tcp_sendrecv_all_if($1_t) @@ -5318,44 +5316,105 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - corenet_tcp_bind_all_nodes($1_t) - corenet_tcp_bind_vnc_port($1_t) - corenet_rw_tun_tap_dev($1_t) -- ++######################################## ++## ++## Manage qemu temporary dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`qemu_manage_tmp_dirs',` ++ gen_require(` ++ type qemu_tmp_t; ++ ') + -# dev_rw_kvm($1_t) -- ++ manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t) ++') + - domain_use_interactive_fds($1_t) -- ++######################################## ++## ++## Manage qemu temporary files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`qemu_manage_tmp_files',` ++ gen_require(` ++ type qemu_tmp_t; ++ ') + - files_read_etc_files($1_t) - files_read_usr_files($1_t) - files_read_var_files($1_t) - files_search_all($1_t) -- ++ manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t) ++') + - fs_list_inotifyfs($1_t) - fs_rw_anon_inodefs_files($1_t) - fs_rw_tmpfs_files($1_t) -- ++######################################## ++## ++## Creates types and rules for a basic ++## qemu process domain. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++template(`qemu_domain_template',` + - storage_raw_write_removable_device($1_t) - storage_raw_read_removable_device($1_t) -- ++ gen_require(` ++ attribute qemutype; ++ ') + - term_use_ptmx($1_t) - term_getattr_pty_fs($1_t) - term_use_generic_ptys($1_t) -- ++ type $1_t, qemutype; + - libs_use_ld_so($1_t) - libs_use_shared_libs($1_t) -- ++ type $1_tmp_t, qemutmpfile; ++ files_tmp_file($1_tmp_t) + - miscfiles_read_localization($1_t) -- ++ type $1_tmpfs_t; ++ files_tmpfs_file($1_tmpfs_t) + - sysnet_read_config($1_t) -- ++ type $1_image_t; ++ virt_image($1_image_t) + -# optional_policy(` -# samba_domtrans_smb($1_t) -# ') -- ++ manage_dirs_pattern($1_t, $1_image_t, $1_image_t) ++ manage_files_pattern($1_t, $1_image_t, $1_image_t) ++ read_lnk_files_pattern($1_t, $1_image_t, $1_image_t) ++ rw_blk_files_pattern($1_t, $1_image_t, $1_image_t) + - optional_policy(` - virt_manage_images($1_t) - virt_read_config($1_t) - virt_read_lib_files($1_t) - ') -- ++ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) ++ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) ++ files_tmp_filetrans($1_t, $1_tmp_t, { file dir }) + - optional_policy(` - xserver_stream_connect_xdm_xserver($1_t) - xserver_read_xdm_tmp_files($1_t) @@ -5369,17 +5428,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.5.13/policy/modules/apps/qemu.te --- nsaserefpolicy/policy/modules/apps/qemu.te 2008-10-17 08:49:14.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/qemu.te 2008-11-11 16:22:03.000000000 -0500 -@@ -6,6 +6,8 @@ ++++ serefpolicy-3.5.13/policy/modules/apps/qemu.te 2008-11-14 10:33:08.000000000 -0500 +@@ -6,6 +6,9 @@ # Declarations # +attribute qemutype; ++attribute qemutmpfile; + ## ##

## Allow qemu to connect fully to the network -@@ -13,16 +15,102 @@ +@@ -13,16 +16,102 @@ ## gen_tunable(qemu_full_network, false) @@ -5482,7 +5542,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`qemu_full_network',` allow qemu_t self:udp_socket create_socket_perms; -@@ -35,6 +123,30 @@ +@@ -35,6 +124,26 @@ corenet_tcp_connect_all_ports(qemu_t) ') @@ -5495,10 +5555,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +optional_policy(` -+ samba_domtrans_smb(qemu_t) -+') -+ -+optional_policy(` + virt_manage_images(qemu_t) +') + @@ -5529,8 +5585,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.5.13/policy/modules/apps/sambagui.te --- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/apps/sambagui.te 2008-11-11 16:22:03.000000000 -0500 -@@ -0,0 +1,60 @@ ++++ serefpolicy-3.5.13/policy/modules/apps/sambagui.te 2008-11-14 10:20:42.000000000 -0500 +@@ -0,0 +1,62 @@ +policy_module(sambagui,1.0.0) + +######################################## @@ -5568,6 +5624,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +fs_list_inotifyfs(sambagui_t) + ++auth_use_nsswitch(sambagui_t) ++ +libs_use_ld_so(sambagui_t) +libs_use_shared_libs(sambagui_t) + @@ -11678,7 +11736,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # /usr diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.if serefpolicy-3.5.13/policy/modules/services/arpwatch.if --- nsaserefpolicy/policy/modules/services/arpwatch.if 2008-10-17 08:49:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/arpwatch.if 2008-11-11 16:22:03.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/arpwatch.if 2008-11-14 10:34:29.000000000 -0500 @@ -90,3 +90,45 @@ dontaudit $1 arpwatch_t:packet_socket { read write }; @@ -12534,7 +12592,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.5.13/policy/modules/services/certmaster.te --- nsaserefpolicy/policy/modules/services/certmaster.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/certmaster.te 2008-11-11 16:22:03.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/certmaster.te 2008-11-14 08:56:39.000000000 -0500 @@ -0,0 +1,81 @@ +policy_module(certmaster,1.0.0) + @@ -12571,7 +12629,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# +# certmaster local policy +# -+ ++allow certmaster_t self:capability sys_tty_config; +allow certmaster_t self:tcp_socket create_stream_socket_perms; + +# config files @@ -22708,8 +22766,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.5.13/policy/modules/services/samba.if --- nsaserefpolicy/policy/modules/services/samba.if 2008-10-17 08:49:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/samba.if 2008-11-11 16:22:03.000000000 -0500 -@@ -44,6 +44,44 @@ ++++ serefpolicy-3.5.13/policy/modules/services/samba.if 2008-11-14 10:57:07.000000000 -0500 +@@ -6,6 +6,24 @@ + + ####################################### + ##

++## The role for the samba module. ++## ++## ++## ++## The role to be allowed the samba_net domain. ++## ++## ++# ++template(`samba_role_notrans',` ++ gen_require(` ++ type smbd_t; ++ ') ++ ++ role $1 types smbd_t; ++') ++ ++####################################### ++## + ## The per role template for the samba module. + ## + ## +@@ -44,6 +62,44 @@ ######################################## ## @@ -22754,7 +22837,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Execute samba net in the samba_net domain. ## ## -@@ -63,6 +101,25 @@ +@@ -63,6 +119,25 @@ ######################################## ## @@ -22780,10 +22863,42 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Execute samba net in the samba_net domain, and ## allow the specified role the samba_net domain. ## -@@ -95,6 +152,38 @@ +@@ -95,6 +170,70 @@ ######################################## ## ++## Execute smbd in the smbd domain, and ++## allow the specified role the smbd domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++## ++## ++## The role to be allowed the samba_smb domain. ++## ++## ++## ++## ++## The type of the terminal allow the samba_smb domain to use. ++## ++## ++## ++# ++interface(`samba_run_smb',` ++ gen_require(` ++ type smbd_t; ++ ') ++ ++ samba_domtrans_smb($1) ++ role $2 types smbd_t; ++ allow smbd_t $3:chr_file rw_term_perms; ++') ++ ++######################################## ++## +## Execute samba net in the samba_unconfined_net domain, and +## allow the specified role the samba_unconfined_net domain. +## @@ -22819,7 +22934,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Execute smbmount in the smbmount domain. ## ## -@@ -188,6 +277,28 @@ +@@ -188,6 +327,28 @@ ######################################## ## @@ -22848,7 +22963,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Allow the specified domain to read samba's log files. ## ## -@@ -331,6 +442,25 @@ +@@ -331,6 +492,25 @@ ######################################## ## @@ -22874,7 +22989,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Allow the specified domain to ## read and write samba /var files. ## -@@ -348,6 +478,7 @@ +@@ -348,6 +528,7 @@ files_search_var($1) files_search_var_lib($1) manage_files_pattern($1, samba_var_t, samba_var_t) @@ -22882,7 +22997,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -420,6 +551,7 @@ +@@ -420,6 +601,7 @@ ') domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t) @@ -22890,7 +23005,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -503,3 +635,208 @@ +@@ -503,3 +685,208 @@ stream_connect_pattern($1, winbind_tmp_t, winbind_tmp_t, winbind_t) ') ') @@ -23101,7 +23216,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.5.13/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/samba.te 2008-11-11 16:22:03.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/samba.te 2008-11-14 10:37:14.000000000 -0500 @@ -66,6 +66,13 @@ ## gen_tunable(samba_share_nfs, false) @@ -23284,7 +23399,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -379,8 +420,10 @@ +@@ -360,6 +401,11 @@ + ') + + optional_policy(` ++ qemu_manage_tmp_dirs(smbd_t) ++ qemu_manage_tmp_files(smbd_t) ++') ++ ++optional_policy(` + rpc_search_nfs_state_data(smbd_t) + ') + +@@ -379,8 +425,10 @@ tunable_policy(`samba_export_all_ro',` fs_read_noxattr_fs_files(smbd_t) @@ -23295,7 +23422,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_read_all_files_except_shadow(nmbd_t) ') -@@ -452,6 +495,7 @@ +@@ -452,6 +500,7 @@ dev_getattr_mtrr_dev(nmbd_t) fs_getattr_all_fs(nmbd_t) @@ -23303,7 +23430,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_search_auto_mountpoints(nmbd_t) domain_use_interactive_fds(nmbd_t) -@@ -536,6 +580,7 @@ +@@ -536,6 +585,7 @@ storage_raw_write_fixed_disk(smbmount_t) term_list_ptys(smbmount_t) @@ -23311,7 +23438,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_list_bin(smbmount_t) -@@ -547,32 +592,46 @@ +@@ -547,32 +597,46 @@ auth_use_nsswitch(smbmount_t) @@ -23364,7 +23491,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rw_files_pattern(swat_t, samba_etc_t, samba_etc_t) -@@ -592,6 +651,9 @@ +@@ -592,6 +656,9 @@ files_pid_filetrans(swat_t, swat_var_run_t, file) allow swat_t winbind_exec_t:file mmap_file_perms; @@ -23374,7 +23501,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -616,10 +678,12 @@ +@@ -616,10 +683,12 @@ dev_read_urand(swat_t) @@ -23387,7 +23514,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_domtrans_chk_passwd(swat_t) auth_use_nsswitch(swat_t) -@@ -628,6 +692,7 @@ +@@ -628,6 +697,7 @@ libs_use_shared_libs(swat_t) logging_send_syslog_msg(swat_t) @@ -23395,7 +23522,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_search_logs(swat_t) miscfiles_read_localization(swat_t) -@@ -645,6 +710,17 @@ +@@ -645,6 +715,17 @@ kerberos_use(swat_t) ') @@ -23413,7 +23540,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Winbind local policy -@@ -694,6 +770,8 @@ +@@ -694,6 +775,8 @@ manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) files_pid_filetrans(winbind_t, winbind_var_run_t, file) @@ -23422,7 +23549,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_kernel_sysctls(winbind_t) kernel_list_proc(winbind_t) kernel_read_proc_symlinks(winbind_t) -@@ -780,8 +858,13 @@ +@@ -780,8 +863,13 @@ miscfiles_read_localization(winbind_helper_t) optional_policy(` @@ -23436,7 +23563,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -790,6 +873,16 @@ +@@ -790,6 +878,16 @@ # optional_policy(` @@ -23453,7 +23580,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) -@@ -800,9 +893,46 @@ +@@ -800,9 +898,46 @@ allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; allow smbd_t samba_unconfined_script_exec_t:file ioctl; @@ -31884,7 +32011,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.5.13/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/unconfined.te 2008-11-11 16:22:03.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/system/unconfined.te 2008-11-14 10:57:44.000000000 -0500 @@ -6,35 +6,76 @@ # Declarations # @@ -32092,7 +32219,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -159,43 +219,48 @@ +@@ -159,43 +219,49 @@ ') optional_policy(` @@ -32140,6 +32267,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` samba_per_role_template(unconfined) - samba_run_net(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ++ samba_role_notrans(unconfined_r) + samba_run_unconfined_net(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) samba_run_winbind_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + samba_run_smbcontrol(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) @@ -32157,7 +32285,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -203,7 +268,7 @@ +@@ -203,7 +269,7 @@ ') optional_policy(` @@ -32166,7 +32294,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -215,11 +280,12 @@ +@@ -215,11 +281,12 @@ ') optional_policy(` @@ -32181,7 +32309,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -229,14 +295,58 @@ +@@ -229,14 +296,58 @@ allow unconfined_execmem_t self:process { execstack execmem }; unconfined_domain_noaudit(unconfined_execmem_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index cfdd364..8a9dd39 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.5.13 -Release: 20%{?dist} +Release: 21%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -457,6 +457,9 @@ exit 0 %endif %changelog +* Fri Nov 14 2008 Dan Walsh 3.5.13-21 +- Allow sambagui to use nsswitch + * Mon Nov 10 2008 Dan Walsh 3.5.13-20 - Change default boolean settings for xguest - Allow mount to r/w image files