From 15f71c5d612ae1b947c7a9f7e34ad162664c72cb Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jun 04 2008 17:26:52 +0000 Subject: - Add livecd policy --- diff --git a/modules-targeted.conf b/modules-targeted.conf index 8b0b82e..e309bf4 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -1668,3 +1668,10 @@ xguest = module # IMAP and POP3 email servers # courier = module + +# Layer: apps +# Module: livecd +# +# livecd creator +# +livecd = module diff --git a/policy-20080509.patch b/policy-20080509.patch index ecd92e0..b8719df 100644 --- a/policy-20080509.patch +++ b/policy-20080509.patch @@ -1898,7 +1898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc +#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.4.1/policy/modules/apps/gnome.if --- nsaserefpolicy/policy/modules/apps/gnome.if 2008-05-23 09:15:06.000000000 -0400 -+++ serefpolicy-3.4.1/policy/modules/apps/gnome.if 2008-06-03 16:01:51.000000000 -0400 ++++ serefpolicy-3.4.1/policy/modules/apps/gnome.if 2008-06-04 11:11:07.509407000 -0400 @@ -36,6 +36,7 @@ gen_require(` type gconfd_exec_t, gconf_etc_t; @@ -1907,7 +1907,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if ') ############################## -@@ -44,41 +45,31 @@ +@@ -44,41 +45,32 @@ # type $1_gconfd_t, gnomedomain; @@ -1923,6 +1923,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if - - type $1_gconf_tmp_t; - files_tmp_file($1_gconf_tmp_t) ++ typealias gnome_home_t alias $1_gnome_home_t; + typealias gconf_home_t alias $1_gconf_home_t; + typealias gconf_tmp_t alias $1_gconf_tmp_t; @@ -1964,7 +1965,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if ps_process_pattern($2,$1_gconfd_t) -@@ -86,6 +77,10 @@ +@@ -86,6 +78,10 @@ files_read_etc_files($1_gconfd_t) @@ -1975,7 +1976,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if libs_use_ld_so($1_gconfd_t) libs_use_shared_libs($1_gconfd_t) -@@ -93,11 +88,8 @@ +@@ -93,11 +89,8 @@ logging_send_syslog_msg($1_gconfd_t) @@ -1989,7 +1990,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if optional_policy(` nscd_dontaudit_search_pid($1_gconfd_t) -@@ -107,6 +99,10 @@ +@@ -107,6 +100,10 @@ xserver_use_xdm_fds($1_gconfd_t) xserver_rw_xdm_pipes($1_gconfd_t) ') @@ -2000,7 +2001,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if ') ######################################## -@@ -128,11 +124,28 @@ +@@ -128,11 +125,28 @@ template(`gnome_stream_connect_gconf_template',` gen_require(` type $1_gconfd_t; @@ -2032,7 +2033,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if ') ######################################## -@@ -141,7 +154,7 @@ +@@ -141,7 +155,7 @@ ## ## ##

@@ -2041,7 +2042,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if ##

##

## This is a templated interface, and should only -@@ -170,6 +183,30 @@ +@@ -170,6 +184,30 @@ ######################################## ##

@@ -2072,7 +2073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if ## manage gnome homedir content (.config) ## ## -@@ -186,9 +223,29 @@ +@@ -186,9 +224,29 @@ # template(`gnome_manage_user_gnome_config',` gen_require(` @@ -3200,7 +3201,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.f +/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.4.1/policy/modules/apps/livecd.if --- nsaserefpolicy/policy/modules/apps/livecd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.4.1/policy/modules/apps/livecd.if 2008-06-03 09:53:54.000000000 -0400 ++++ serefpolicy-3.4.1/policy/modules/apps/livecd.if 2008-06-04 13:26:20.582917000 -0400 @@ -0,0 +1,56 @@ + +## policy for livecd @@ -29897,8 +29898,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.f +/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.if serefpolicy-3.4.1/policy/modules/system/qemu.if --- nsaserefpolicy/policy/modules/system/qemu.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.4.1/policy/modules/system/qemu.if 2008-06-03 09:53:56.000000000 -0400 -@@ -0,0 +1,313 @@ ++++ serefpolicy-3.4.1/policy/modules/system/qemu.if 2008-06-04 13:13:44.213306000 -0400 +@@ -0,0 +1,318 @@ + +## policy for qemu + @@ -30142,7 +30143,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i + domain_use_interactive_fds($1_t) + + allow $1_t self:capability { dac_read_search dac_override }; -+ allow $1_t self:process { execstack execmem signal getsched }; ++ allow $1_t self:process { execstack execmem signal getsched signull }; + allow $1_t self:tcp_socket create_stream_socket_perms; + + ## internal communication is often done using fifo and unix sockets. @@ -30159,6 +30160,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i + manage_files_pattern($1_t,$1_tmp_t,$1_tmp_t) + files_tmp_filetrans($1_t, $1_tmp_t, { file dir }) + ++ dev_read_sound($1_t) ++ dev_write_sound($1_t) ++ + corenet_all_recvfrom_unlabeled($1_t) + corenet_all_recvfrom_netlabel($1_t) + corenet_tcp_sendrecv_all_if($1_t) @@ -30189,6 +30193,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i + term_getattr_pty_fs($1_t) + term_use_generic_ptys($1_t) + ++ auth_use_nsswitch($1_t) ++ + libs_use_ld_so($1_t) + libs_use_shared_libs($1_t) + @@ -32074,7 +32080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.4.1/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2008-05-29 15:55:43.000000000 -0400 -+++ serefpolicy-3.4.1/policy/modules/system/unconfined.te 2008-06-03 11:34:41.000000000 -0400 ++++ serefpolicy-3.4.1/policy/modules/system/unconfined.te 2008-06-04 13:26:18.902281000 -0400 @@ -1,40 +1,79 @@ -policy_module(unconfined, 2.2.1) @@ -32242,20 +32248,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -123,11 +176,7 @@ +@@ -123,11 +176,11 @@ ') optional_policy(` - inn_domtrans(unconfined_t) --') -- --optional_policy(` -- java_domtrans(unconfined_t) + iptables_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ') optional_policy(` -@@ -139,18 +188,6 @@ +- java_domtrans(unconfined_t) ++ livecd_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + ') + + optional_policy(` +@@ -139,18 +192,6 @@ ') optional_policy(` @@ -32274,7 +32281,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf prelink_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ') -@@ -159,38 +196,46 @@ +@@ -159,38 +200,46 @@ ') optional_policy(` @@ -32334,7 +32341,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -198,23 +243,33 @@ +@@ -198,23 +247,33 @@ ') optional_policy(` @@ -32373,7 +32380,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') ######################################## -@@ -224,14 +279,35 @@ +@@ -224,14 +283,35 @@ allow unconfined_execmem_t self:process { execstack execmem }; unconfined_domain_noaudit(unconfined_execmem_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 3914f23..13c7750 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.4.1 -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -375,7 +375,10 @@ exit 0 %endif %changelog -* Fri May 9 2008 Dan Walsh 3.4.1-3 +* Wed Jun 4 2008 Dan Walsh 3.4.1-4 +- Add livecd policy + +* Wed Jun 4 2008 Dan Walsh 3.4.1-3 - Dontaudit search of admin_home for init_system_domain - Rewrite of xace interfaces - Lots of new fs_list_inotify