From 53891dc045bec18ce164d4e3ff8bda4488e37a41 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Oct 14 2009 14:48:38 +0000 Subject: - Fix labeling for privoxy config files --- diff --git a/booleans-targeted.conf b/booleans-targeted.conf index 8662f82..f2c7747 100644 --- a/booleans-targeted.conf +++ b/booleans-targeted.conf @@ -254,3 +254,8 @@ init_upstart = true # Allow mount to mount any file/dir # allow_mount_anyfile = true + +# Allow confined domains to communicate with ncsd via shared memory +# +nscd_use_shm = true + diff --git a/policy-F12.patch b/policy-F12.patch index c2c9da9..2929da3 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -1313,8 +1313,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## The Fedora hardware profiler client diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.6.32/policy/modules/admin/smoltclient.te --- nsaserefpolicy/policy/modules/admin/smoltclient.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/admin/smoltclient.te 2009-10-13 10:09:59.000000000 -0400 -@@ -0,0 +1,68 @@ ++++ serefpolicy-3.6.32/policy/modules/admin/smoltclient.te 2009-10-14 10:05:57.000000000 -0400 +@@ -0,0 +1,66 @@ +policy_module(smoltclient,1.0.0) + +######################################## @@ -1339,7 +1339,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +allow smoltclient_t self:fifo_file rw_fifo_file_perms; +allow smoltclient_t self:tcp_socket create_socket_perms; +allow smoltclient_t self:udp_socket create_socket_perms; -+allow smoltclient_t self:netlink_route_socket r_netlink_socket_perms; + +can_exec(smoltclient_t, smoltclient_tmp_t) +manage_dirs_pattern(smoltclient_t, smoltclient_tmp_t, smoltclient_tmp_t) @@ -1355,7 +1354,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +corenet_tcp_connect_http_port(smoltclient_t) + -+dev_read_urand(smoltclient_t) ++auth_use_nsswitch(smoltclient_t) ++ +dev_read_sysfs(smoltclient_t) + +fs_getattr_all_fs(smoltclient_t) @@ -1367,8 +1367,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +miscfiles_read_localization(smoltclient_t) + -+sysnet_read_config(smoltclient_t) -+ +optional_policy(` + dbus_system_bus_client(smoltclient_t) +') @@ -13482,7 +13480,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_pid_filetrans(irqbalance_t, irqbalance_var_run_t, file) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.32/policy/modules/services/kerberos.te --- nsaserefpolicy/policy/modules/services/kerberos.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/kerberos.te 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/kerberos.te 2009-10-14 10:10:42.000000000 -0400 @@ -277,6 +277,8 @@ # @@ -14584,10 +14582,52 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_all_rpc_ports(ypxfr_t) corenet_udp_bind_all_rpc_ports(ypxfr_t) corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.6.32/policy/modules/services/nscd.if +--- nsaserefpolicy/policy/modules/services/nscd.if 2009-09-16 09:09:20.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/nscd.if 2009-10-14 10:12:17.000000000 -0400 +@@ -121,6 +121,24 @@ + + ######################################## + ## ++## Use nscd services ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`nscd_use',` ++ tunable_policy(`nscd_use_shm',` ++ nscd_shm_use($1) ++ ',` ++ nscd_socket_use($1) ++ ') ++') ++ ++######################################## ++## + ## Use NSCD services by mapping the database from + ## an inherited NSCD file descriptor. + ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.6.32/policy/modules/services/nscd.te --- nsaserefpolicy/policy/modules/services/nscd.te 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/nscd.te 2009-09-30 16:12:48.000000000 -0400 -@@ -91,6 +91,7 @@ ++++ serefpolicy-3.6.32/policy/modules/services/nscd.te 2009-10-14 10:11:11.000000000 -0400 +@@ -5,6 +5,13 @@ + class nscd all_nscd_perms; + ') + ++## ++##

++## Allow confined applications to use nscd shared memory. ++##

++## ++gen_tunable(nscd_use_shm, false) ++ + ######################################## + # + # Declarations +@@ -91,6 +98,7 @@ selinux_compute_relabel_context(nscd_t) selinux_compute_user_contexts(nscd_t) domain_use_interactive_fds(nscd_t) @@ -14595,7 +14635,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(nscd_t) files_read_generic_tmp_symlinks(nscd_t) -@@ -128,3 +129,12 @@ +@@ -128,3 +136,12 @@ xen_dontaudit_rw_unix_stream_sockets(nscd_t) xen_append_log(nscd_t) ') @@ -22723,7 +22763,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.32/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/authlogin.if 2009-10-07 13:42:42.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/system/authlogin.if 2009-10-14 10:09:41.000000000 -0400 @@ -40,17 +40,76 @@ ## ## @@ -22999,7 +23039,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to write to ## login records files. ## -@@ -1395,6 +1537,14 @@ +@@ -1395,16 +1537,33 @@ ') optional_policy(` @@ -23014,18 +23054,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol nis_use_ypbind($1) ') -@@ -1403,8 +1553,17 @@ - ') - optional_policy(` -+ nslcd_stream_connect($1) +- nscd_socket_use($1) ++ nscd_use($1) + ') + + optional_policy(` -+ sssd_stream_connect($1) ++ nslcd_stream_connect($1) + ') + + optional_policy(` ++ sssd_stream_connect($1) + ') + + optional_policy(` samba_stream_connect_winbind($1) samba_read_var_files($1) + samba_dontaudit_write_var_files($1)