From 712a22f128bf17b309275e8811a30108b90a6c05 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Nov 03 2009 17:14:55 +0000 Subject: - Abrt creates lnk_files --- diff --git a/policy-F12.patch b/policy-F12.patch index 205a406..e446738 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -3026,8 +3026,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.6.32/policy/modules/apps/loadkeys.te --- nsaserefpolicy/policy/modules/apps/loadkeys.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/loadkeys.te 2009-10-01 14:51:17.000000000 -0400 -@@ -45,3 +45,7 @@ ++++ serefpolicy-3.6.32/policy/modules/apps/loadkeys.te 2009-11-03 12:14:31.000000000 -0500 +@@ -40,8 +40,12 @@ + miscfiles_read_localization(loadkeys_t) + + userdom_use_user_ttys(loadkeys_t) +-userdom_list_user_home_dirs(loadkeys_t) ++userdom_list_user_home_content(loadkeys_t) + optional_policy(` nscd_dontaudit_search_pid(loadkeys_t) ') @@ -5732,7 +5738,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in 2009-10-29 09:23:17.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in 2009-11-03 12:03:04.000000000 -0500 @@ -65,6 +65,7 @@ type server_packet_t, packet_type, server_packet_type; @@ -5741,6 +5747,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0) network_port(afs_ka, udp,7004,s0) network_port(afs_pt, udp,7002,s0) +@@ -75,7 +76,7 @@ + network_port(amavisd_send, tcp,10025,s0) + network_port(aol, udp,5190,s0, tcp,5190,s0, udp,5191,s0, tcp,5191,s0, udp,5192,s0, tcp,5192,s0, udp,5193,s0, tcp,5193,s0) + network_port(apcupsd, tcp,3551,s0, udp,3551,s0) +-network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0) ++network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0) + network_port(audit, tcp,60,s0) + network_port(auth, tcp,113,s0) + network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0) @@ -87,26 +88,33 @@ network_port(comsat, udp,512,s0) network_port(cvs, tcp,2401,s0, udp,2401,s0) @@ -5807,8 +5822,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pulseaudio, tcp,4713,s0) -@@ -173,27 +188,34 @@ +@@ -171,29 +186,37 @@ + network_port(rsync, tcp,873,s0, udp,873,s0) + network_port(rwho, udp,513,s0) network_port(sap, tcp,9875,s0, udp,9875,s0) ++network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0) network_port(smbd, tcp,137-139,s0, tcp,445,s0) network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0) -network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0) @@ -5845,7 +5863,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(xdmcp, udp,177,s0, tcp,177,s0) network_port(xen, tcp,8002,s0) network_port(xfs, tcp,7100,s0) -@@ -222,6 +244,8 @@ +@@ -222,6 +245,8 @@ type node_t, node_type; sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh) @@ -9672,7 +9690,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te --- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-11-02 13:58:48.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-11-03 11:21:35.000000000 -0500 @@ -38,7 +38,7 @@ # abrt local policy # @@ -9682,7 +9700,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow abrt_t self:process { signal signull setsched getsched }; allow abrt_t self:fifo_file rw_fifo_file_perms; -@@ -60,8 +60,9 @@ +@@ -60,13 +60,15 @@ files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) # abrt var/cache files @@ -9693,7 +9711,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir }) # abrt pid files -@@ -75,11 +76,14 @@ +-manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) + manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) ++manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) ++manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) + files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir }) + + kernel_read_ring_buffer(abrt_t) +@@ -75,11 +77,14 @@ corecmd_exec_bin(abrt_t) corecmd_exec_shell(abrt_t) @@ -9708,7 +9733,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_getattr_all_files(abrt_t) files_read_etc_files(abrt_t) files_read_usr_files(abrt_t) -@@ -101,17 +105,32 @@ +@@ -101,17 +106,32 @@ userdom_read_user_home_content_files(abrt_t) optional_policy(` @@ -11550,6 +11575,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow apmd_t self:process { signal_perms getsession }; allow apmd_t self:fifo_file rw_fifo_file_perms; allow apmd_t self:unix_dgram_socket create_socket_perms; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.6.32/policy/modules/services/asterisk.te +--- nsaserefpolicy/policy/modules/services/asterisk.te 2009-08-14 16:14:31.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/asterisk.te 2009-11-03 12:04:14.000000000 -0500 +@@ -97,6 +97,7 @@ + corenet_udp_bind_generic_node(asterisk_t) + corenet_tcp_bind_asterisk_port(asterisk_t) + corenet_udp_bind_asterisk_port(asterisk_t) ++corenet_udp_bind_sip_port(asterisk_t) + corenet_sendrecv_asterisk_server_packets(asterisk_t) + # for VOIP voice channels. + corenet_tcp_bind_generic_port(asterisk_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.6.32/policy/modules/services/automount.te --- nsaserefpolicy/policy/modules/services/automount.te 2009-08-14 16:14:31.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/automount.te 2009-09-30 16:12:48.000000000 -0400 @@ -12756,7 +12792,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.32/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/cron.if 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/cron.if 2009-11-03 08:58:13.000000000 -0500 @@ -12,6 +12,10 @@ ## # @@ -12824,6 +12860,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol role system_r types $1; ') +@@ -408,7 +404,7 @@ + type crond_t; + ') + +- allow $1 crond_t:fifo_file { getattr read write }; ++ allow $1 crond_t:fifo_file rw_fifo_file_perms; + ') + + ######################################## @@ -587,11 +583,14 @@ # interface(`cron_read_system_job_tmp_files',` @@ -23455,7 +23500,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.32/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2009-09-09 15:37:17.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/xserver.if 2009-10-29 17:51:12.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/xserver.if 2009-11-03 09:21:14.000000000 -0500 @@ -89,8 +89,8 @@ # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; @@ -23606,7 +23651,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -728,7 +728,7 @@ +@@ -585,6 +585,11 @@ + ') + + domtrans_pattern($1, xauth_exec_t, xauth_t) ++ ++ifdef(`hide_broken_symptoms', ` ++ dontaudit xauth_exec_t $1:unix_stream_socket rw_socket_perms; ++ dontaudit xauth_exec_t $1:tcp_socket rw_socket_perms; ++') + ') + + ######################################## +@@ -728,7 +733,7 @@ type xdm_t; ') @@ -23615,7 +23672,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -764,11 +764,11 @@ +@@ -764,11 +769,11 @@ # interface(`xserver_stream_connect_xdm',` gen_require(` @@ -23629,7 +23686,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -802,10 +802,10 @@ +@@ -802,10 +807,10 @@ # interface(`xserver_setattr_xdm_tmp_dirs',` gen_require(` @@ -23642,7 +23699,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -821,12 +821,13 @@ +@@ -821,12 +826,13 @@ # interface(`xserver_create_xdm_tmp_sockets',` gen_require(` @@ -23659,7 +23716,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -845,7 +846,44 @@ +@@ -845,7 +851,44 @@ ') files_search_pids($1) @@ -23705,7 +23762,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -868,6 +906,75 @@ +@@ -868,6 +911,75 @@ ######################################## ## @@ -23781,7 +23838,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -886,6 +993,24 @@ +@@ -886,6 +998,24 @@ ######################################## ## @@ -23806,7 +23863,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Execute an X session in the target domain. This ## is an explicit transition, requiring the ## caller to use setexeccon(). -@@ -961,6 +1086,27 @@ +@@ -961,6 +1091,27 @@ ######################################## ## @@ -23834,7 +23891,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to write the X server ## log files. ## -@@ -1014,11 +1160,11 @@ +@@ -1014,11 +1165,11 @@ # interface(`xserver_read_xdm_tmp_files',` gen_require(` @@ -23848,7 +23905,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1033,11 +1179,11 @@ +@@ -1033,11 +1184,11 @@ # interface(`xserver_dontaudit_read_xdm_tmp_files',` gen_require(` @@ -23863,7 +23920,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1052,11 +1198,11 @@ +@@ -1052,11 +1203,11 @@ # interface(`xserver_rw_xdm_tmp_files',` gen_require(` @@ -23878,7 +23935,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1071,10 +1217,10 @@ +@@ -1071,10 +1222,10 @@ # interface(`xserver_manage_xdm_tmp_files',` gen_require(` @@ -23891,7 +23948,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1089,10 +1235,10 @@ +@@ -1089,10 +1240,10 @@ # interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` gen_require(` @@ -23904,7 +23961,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1107,10 +1253,11 @@ +@@ -1107,10 +1258,11 @@ # interface(`xserver_domtrans',` gen_require(` @@ -23917,7 +23974,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domtrans_pattern($1, xserver_exec_t, xserver_t) ') -@@ -1248,6 +1395,278 @@ +@@ -1248,6 +1400,278 @@ ######################################## ## @@ -24196,7 +24253,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain complete control over the ## display. -@@ -1261,7 +1680,103 @@ +@@ -1261,7 +1685,103 @@ interface(`xserver_unconfined',` gen_require(` attribute xserver_unconfined_type; @@ -24205,7 +24262,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol typeattribute $1 xserver_unconfined_type; + typeattribute $1 x_domain; -+') + ') + +######################################## +## @@ -24277,7 +24334,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_communicate($1, $1) + xserver_stream_connect($1) + xserver_use_xdm($1) - ') ++') + +######################################## +## @@ -24302,7 +24359,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-08-28 14:58:20.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2009-11-02 09:24:58.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2009-11-03 09:20:54.000000000 -0500 @@ -34,6 +34,13 @@ ## @@ -24471,7 +24528,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_xattr_fs(xauth_t) fs_search_auto_mountpoints(xauth_t) -@@ -279,6 +301,12 @@ +@@ -279,6 +301,10 @@ userdom_use_user_terminals(xauth_t) userdom_read_user_tmp_files(xauth_t) @@ -24479,12 +24536,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + userdom_manage_user_home_content_files(xauth_t) +') + -+userdom_dontaudit_rw_stream(xauth_t) -+ xserver_rw_xdm_tmp_files(xauth_t) tunable_policy(`use_nfs_home_dirs',` -@@ -300,20 +328,31 @@ +@@ -300,20 +326,31 @@ # XDM Local policy # @@ -24519,7 +24574,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -325,26 +364,43 @@ +@@ -325,26 +362,43 @@ # this is ugly, daemons should not create files under /etc! manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t) @@ -24570,7 +24625,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xdm_t xserver_t:process signal; allow xdm_t xserver_t:unix_stream_socket connectto; -@@ -358,6 +414,7 @@ +@@ -358,6 +412,7 @@ allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; allow xdm_t xserver_t:shm rw_shm_perms; @@ -24578,7 +24633,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -366,10 +423,14 @@ +@@ -366,10 +421,14 @@ delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -24594,7 +24649,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(xdm_t) kernel_read_kernel_sysctls(xdm_t) -@@ -389,11 +450,13 @@ +@@ -389,11 +448,13 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -24608,7 +24663,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_rand(xdm_t) dev_read_sysfs(xdm_t) dev_getattr_framebuffer_dev(xdm_t) -@@ -401,6 +464,7 @@ +@@ -401,6 +462,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -24616,7 +24671,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -413,14 +477,17 @@ +@@ -413,14 +475,17 @@ dev_setattr_video_dev(xdm_t) dev_getattr_scanner_dev(xdm_t) dev_setattr_scanner_dev(xdm_t) @@ -24636,7 +24691,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -431,9 +498,13 @@ +@@ -431,9 +496,13 @@ files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -24650,7 +24705,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -442,6 +513,7 @@ +@@ -442,6 +511,7 @@ storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -24658,7 +24713,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_setattr_console(xdm_t) term_use_unallocated_ttys(xdm_t) -@@ -450,6 +522,7 @@ +@@ -450,6 +520,7 @@ auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) @@ -24666,7 +24721,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -460,10 +533,11 @@ +@@ -460,10 +531,11 @@ logging_read_generic_logs(xdm_t) @@ -24680,7 +24735,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -472,6 +546,9 @@ +@@ -472,6 +544,9 @@ # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -24690,7 +24745,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xserver_rw_session(xdm_t, xdm_tmpfs_t) xserver_unconfined(xdm_t) -@@ -504,10 +581,12 @@ +@@ -504,10 +579,12 @@ optional_policy(` alsa_domtrans(xdm_t) @@ -24703,7 +24758,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -515,12 +594,46 @@ +@@ -515,12 +592,46 @@ ') optional_policy(` @@ -24750,7 +24805,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol hostname_exec(xdm_t) ') -@@ -542,6 +655,38 @@ +@@ -542,6 +653,38 @@ ') optional_policy(` @@ -24789,7 +24844,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(xdm_t) ') -@@ -550,8 +695,9 @@ +@@ -550,8 +693,9 @@ ') optional_policy(` @@ -24801,7 +24856,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -560,7 +706,6 @@ +@@ -560,7 +704,6 @@ ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; ') @@ -24809,7 +24864,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` userhelper_dontaudit_search_config(xdm_t) -@@ -571,6 +716,10 @@ +@@ -571,6 +714,10 @@ ') optional_policy(` @@ -24820,7 +24875,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xfs_stream_connect(xdm_t) ') -@@ -587,10 +736,9 @@ +@@ -587,10 +734,9 @@ # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -24832,7 +24887,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; allow xserver_t self:sock_file read_sock_file_perms; -@@ -602,9 +750,12 @@ +@@ -602,9 +748,12 @@ allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -24845,7 +24900,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xserver_t { input_xevent_t input_xevent_type }:x_event send; -@@ -616,13 +767,14 @@ +@@ -616,13 +765,14 @@ type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t; allow xserver_t { rootwindow_t x_domain }:x_drawable send; @@ -24861,7 +24916,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -635,9 +787,19 @@ +@@ -635,9 +785,19 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -24881,7 +24936,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -671,7 +833,6 @@ +@@ -671,7 +831,6 @@ dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -24889,7 +24944,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -681,9 +842,12 @@ +@@ -681,9 +840,12 @@ dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -24903,7 +24958,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) -@@ -698,8 +862,12 @@ +@@ -698,8 +860,12 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -24916,7 +24971,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -721,6 +889,7 @@ +@@ -721,6 +887,7 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -24924,7 +24979,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol modutils_domtrans_insmod(xserver_t) -@@ -743,7 +912,7 @@ +@@ -743,7 +910,7 @@ ') ifdef(`enable_mls',` @@ -24933,7 +24988,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh; ') -@@ -775,12 +944,20 @@ +@@ -775,12 +942,20 @@ ') optional_policy(` @@ -24955,7 +25010,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_domtrans(xserver_t) ') -@@ -807,12 +984,12 @@ +@@ -807,12 +982,12 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -24972,7 +25027,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Run xkbcomp. allow xserver_t xkb_var_lib_t:lnk_file read; -@@ -828,9 +1005,14 @@ +@@ -828,9 +1003,14 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -24987,7 +25042,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -845,11 +1027,14 @@ +@@ -845,11 +1025,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -25003,7 +25058,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -882,6 +1067,8 @@ +@@ -882,6 +1065,8 @@ # X Server # can read server-owned resources allow x_domain xserver_t:x_resource read; @@ -25012,7 +25067,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # can mess with own clients allow x_domain self:x_client { manage destroy }; -@@ -906,6 +1093,8 @@ +@@ -906,6 +1091,8 @@ # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -25021,7 +25076,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # X Colormaps # can use the default colormap allow x_domain rootwindow_t:x_colormap { read use add_color }; -@@ -973,17 +1162,49 @@ +@@ -973,17 +1160,49 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -25512,13 +25567,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # PAM local policy diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.6.32/policy/modules/system/fstools.fc --- nsaserefpolicy/policy/modules/system/fstools.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/fstools.fc 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/system/fstools.fc 2009-11-02 15:59:17.000000000 -0500 @@ -1,4 +1,3 @@ -/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -21,7 +20,6 @@ +@@ -6,6 +5,7 @@ + /sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/dumpe2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/e2fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) +@@ -21,7 +21,6 @@ /sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) @@ -28119,7 +28182,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.32/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/mount.te 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/system/mount.te 2009-11-03 08:56:35.000000000 -0500 @@ -18,8 +18,12 @@ init_system_domain(mount_t, mount_exec_t) role system_r types mount_t; @@ -28270,10 +28333,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -172,6 +212,21 @@ +@@ -172,6 +212,25 @@ ') optional_policy(` ++ cron_system_entry(mount_t, mount_exec_t) ++') ++ ++optional_policy(` + dbus_system_bus_client(mount_t) + + optional_policy(` @@ -28292,7 +28359,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -179,6 +234,11 @@ +@@ -179,6 +238,11 @@ ') ') @@ -28304,7 +28371,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # for kernel package installation optional_policy(` rpm_rw_pipes(mount_t) -@@ -186,6 +246,7 @@ +@@ -186,6 +250,7 @@ optional_policy(` samba_domtrans_smbmount(mount_t) @@ -28312,7 +28379,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -195,5 +256,8 @@ +@@ -195,5 +260,8 @@ optional_policy(` files_etc_filetrans_etc_runtime(unconfined_mount_t, file) @@ -30540,7 +30607,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +HOME_DIR/\.gvfs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-11-02 08:56:44.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-11-03 11:58:36.000000000 -0500 @@ -30,8 +30,9 @@ ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 26675e0..e361b47 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.32 -Release: 39%{?dist} +Release: 40%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -445,6 +445,10 @@ exit 0 %endif %changelog +* Tue Nov 3 2009 Dan Walsh 3.6.32-40 +- Abrt creates lnk_files + + * Mon Nov 2 2009 Dan Walsh 3.6.32-39 - Allow setroubleshoot-fix to signull user domains