From 89db6d81ea91c866f2460f68aaf55716e60a85f4 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Mar 23 2009 17:06:28 +0000 Subject: - Add google-earth labeling --- diff --git a/policy-20071130.patch b/policy-20071130.patch index 36fe000..63c4476 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -655058,7 +655058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.3.1/policy/modules/services/mysql.te --- nsaserefpolicy/policy/modules/services/mysql.te 2008-02-26 14:23:10.000000000 +0100 -+++ serefpolicy-3.3.1/policy/modules/services/mysql.te 2009-03-20 09:44:49.000000000 +0100 ++++ serefpolicy-3.3.1/policy/modules/services/mysql.te 2009-03-23 10:41:10.000000000 +0100 @@ -10,6 +10,10 @@ type mysqld_exec_t; init_daemon_domain(mysqld_t,mysqld_exec_t) @@ -655100,7 +655100,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq domain_use_interactive_fds(mysqld_t) -@@ -119,3 +128,37 @@ +@@ -119,3 +128,40 @@ optional_policy(` udev_read_db(mysqld_t) ') @@ -655115,6 +655115,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq +allow mysqld_safe_t self:capability { dac_override fowner chown }; +allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; + ++allow mysqld_safe_t mysqld_log_t:file manage_file_perms; ++logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) ++ +mysql_append_db_files(mysqld_safe_t) +mysql_read_config(mysqld_safe_t) +mysql_search_pid_files(mysqld_safe_t) @@ -670248,7 +670251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.3.1/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2008-02-26 14:23:09.000000000 +0100 -+++ serefpolicy-3.3.1/policy/modules/system/libraries.fc 2009-03-20 09:46:49.000000000 +0100 ++++ serefpolicy-3.3.1/policy/modules/system/libraries.fc 2009-03-23 10:46:22.000000000 +0100 @@ -69,8 +69,10 @@ ifdef(`distro_gentoo',` # despite the extensions, they are actually libs @@ -670374,7 +670377,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) -@@ -301,6 +321,28 @@ +@@ -301,6 +321,30 @@ /var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0) ') @@ -670398,7 +670401,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar +/usr/lib/sse2/libav.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/sse2/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) + -+/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++# google-earth ++/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/opt/Komodo/lib/python/lib/python2.6/lib-dynload/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) + @@ -671585,16 +671590,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti ################################# diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.3.1/policy/modules/system/mount.fc --- nsaserefpolicy/policy/modules/system/mount.fc 2008-02-26 14:23:09.000000000 +0100 -+++ serefpolicy-3.3.1/policy/modules/system/mount.fc 2009-02-12 22:21:57.000000000 +0100 -@@ -1,4 +1,6 @@ ++++ serefpolicy-3.3.1/policy/modules/system/mount.fc 2009-03-23 11:00:51.000000000 +0100 +@@ -1,4 +1,10 @@ /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) -- --/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) +/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) +/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) +/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) +/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) ++ ++/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) ++/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) + +-/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.3.1/policy/modules/system/mount.if --- nsaserefpolicy/policy/modules/system/mount.if 2008-02-26 14:23:09.000000000 +0100 +++ serefpolicy-3.3.1/policy/modules/system/mount.if 2009-02-12 22:21:57.000000000 +0100 @@ -671635,8 +671643,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.3.1/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2008-02-26 14:23:09.000000000 +0100 -+++ serefpolicy-3.3.1/policy/modules/system/mount.te 2009-02-12 22:21:57.000000000 +0100 -@@ -18,17 +18,18 @@ ++++ serefpolicy-3.3.1/policy/modules/system/mount.te 2009-03-23 11:00:15.000000000 +0100 +@@ -18,17 +18,21 @@ init_system_domain(mount_t,mount_exec_t) role system_r types mount_t; @@ -671655,15 +671663,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. type unconfined_mount_t; application_domain(unconfined_mount_t,mount_exec_t) +role system_r types unconfined_mount_t; ++ ++type mount_var_run_t; ++files_pid_file(mount_var_run_t) ######################################## # -@@ -36,23 +37,26 @@ +@@ -36,23 +40,33 @@ # # setuid/setgid needed to mount cifs -allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid }; +allow mount_t self:capability { fsetid ipc_lock sys_rawio sys_resource sys_admin dac_override chown sys_tty_config setuid setgid }; ++allow mount_t self:process { ptrace signal }; allow mount_t mount_loopback_t:file read_file_perms; @@ -671671,10 +671683,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. allow mount_t mount_tmp_t:dir manage_dir_perms; +files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir }) - can_exec(mount_t, mount_exec_t) +-can_exec(mount_t, mount_exec_t) ++manage_dirs_pattern(mount_t,mount_var_run_t,mount_var_run_t) ++manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t) ++files_pid_filetrans(mount_t,mount_var_run_t,dir) ++files_var_filetrans(mount_t,mount_var_run_t,dir) -files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir }) -- ++can_exec(mount_t, mount_exec_t) + +# In order to mount reiserfs_t +kernel_list_unlabeled(mount_t) kernel_read_system_state(mount_t) @@ -671685,10 +671702,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. dev_getattr_all_blk_files(mount_t) dev_list_all_dev_nodes(mount_t) +dev_read_usbfs(mount_t) ++dev_read_rand(mount_t) dev_rw_lvm_control(mount_t) dev_dontaudit_getattr_all_chr_files(mount_t) dev_dontaudit_getattr_memory_dev(mount_t) -@@ -62,16 +66,20 @@ +@@ -62,16 +76,20 @@ storage_raw_write_fixed_disk(mount_t) storage_raw_read_removable_device(mount_t) storage_raw_write_removable_device(mount_t) @@ -671711,7 +671729,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. term_use_all_terms(mount_t) -@@ -87,7 +95,7 @@ +@@ -87,7 +105,7 @@ files_mounton_all_mountpoints(mount_t) files_unmount_rootfs(mount_t) # These rules need to be generalized. Only admin, initrc should have it: @@ -671720,7 +671738,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. files_mount_all_file_type_fs(mount_t) files_unmount_all_file_type_fs(mount_t) # for when /etc/mtab loses its type -@@ -100,6 +108,8 @@ +@@ -100,6 +118,8 @@ init_use_fds(mount_t) init_use_script_ptys(mount_t) init_dontaudit_getattr_initctl(mount_t) @@ -671729,7 +671747,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. auth_use_nsswitch(mount_t) -@@ -119,6 +129,8 @@ +@@ -119,6 +139,8 @@ seutil_read_config(mount_t) userdom_use_all_users_fds(mount_t) @@ -671738,7 +671756,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ifdef(`distro_redhat',` optional_policy(` -@@ -167,6 +179,8 @@ +@@ -167,6 +189,8 @@ fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -671747,7 +671765,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') optional_policy(` -@@ -181,6 +195,11 @@ +@@ -181,6 +205,11 @@ ') ') @@ -671759,7 +671777,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. # for kernel package installation optional_policy(` rpm_rw_pipes(mount_t) -@@ -188,6 +207,7 @@ +@@ -188,6 +217,7 @@ optional_policy(` samba_domtrans_smbmount(mount_t) @@ -671767,7 +671785,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') ######################################## -@@ -198,4 +218,26 @@ +@@ -198,4 +228,26 @@ optional_policy(` files_etc_filetrans_etc_runtime(unconfined_mount_t,file) unconfined_domain(unconfined_mount_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index c5bf1a8..bf2a7f2 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.3.1 -Release: 128%{?dist} +Release: 129%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -444,6 +444,9 @@ exit 0 %endif %changelog +* Mon Mar 23 2009 Miroslav Grepl 3.3.1-129 +- Add google-earth labeling + * Fri Mar 20 2009 Miroslav Grepl 3.3.1-128 - Add gitosis policy