From 8a0604e91972fac8874f66db31a8fcf09e8556a8 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: May 06 2009 12:51:59 +0000 Subject: -Remove duplicate line --- diff --git a/policy-20090105.patch b/policy-20090105.patch index 0f2e297..5e7b769 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -4897,7 +4897,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +corecmd_executable_file(wm_exec_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-03-05 10:34:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc 2009-05-05 14:05:47.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc 2009-05-05 18:05:12.000000000 -0400 @@ -32,6 +32,8 @@ # # /etc @@ -4907,18 +4907,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /etc/apcupsd/apccontrol -- gen_context(system_u:object_r:bin_t,s0) /etc/apcupsd/changeme -- gen_context(system_u:object_r:bin_t,s0) /etc/apcupsd/commfailure -- gen_context(system_u:object_r:bin_t,s0) -@@ -134,6 +136,10 @@ +@@ -134,6 +136,9 @@ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') +/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) +/opt/OpenPrinting-Gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) + # # /usr # -@@ -210,6 +216,7 @@ +@@ -210,6 +215,7 @@ /usr/share/Modules/init(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) @@ -4926,7 +4925,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0) -@@ -299,3 +306,20 @@ +@@ -299,3 +305,20 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -8952,7 +8951,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.12/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/apache.te 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/apache.te 2009-05-06 08:47:58.000000000 -0400 @@ -19,6 +19,8 @@ # Declarations # @@ -9331,20 +9330,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -493,6 +614,12 @@ - openca_kill(httpd_t) +@@ -494,12 +615,23 @@ ') + optional_policy(` ++ rpc_search_nfs_state_data(httpd_t) ++') ++ +tunable_policy(`httpd_execmem',` + allow httpd_t self:process { execmem execstack }; + allow httpd_sys_script_t self:process { execmem execstack }; + allow httpd_suexec_t self:process { execmem execstack }; +') + - optional_policy(` ++optional_policy(` # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) -@@ -500,6 +627,7 @@ + postgresql_unpriv_client(httpd_t) tunable_policy(`httpd_can_network_connect_db',` postgresql_tcp_connect(httpd_t) @@ -9352,7 +9354,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -508,6 +636,7 @@ +@@ -508,6 +640,7 @@ ') optional_policy(` @@ -9360,7 +9362,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -535,6 +664,22 @@ +@@ -535,6 +668,22 @@ userdom_use_user_terminals(httpd_helper_t) @@ -9383,7 +9385,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Apache PHP script local policy -@@ -564,20 +709,25 @@ +@@ -564,20 +713,25 @@ fs_search_auto_mountpoints(httpd_php_t) @@ -9415,7 +9417,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -595,23 +745,24 @@ +@@ -595,23 +749,24 @@ append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) @@ -9444,7 +9446,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -624,6 +775,7 @@ +@@ -624,6 +779,7 @@ logging_send_syslog_msg(httpd_suexec_t) miscfiles_read_localization(httpd_suexec_t) @@ -9452,7 +9454,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_can_network_connect',` allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; -@@ -641,12 +793,20 @@ +@@ -641,12 +797,20 @@ corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -9476,7 +9478,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -672,15 +832,14 @@ +@@ -672,15 +836,14 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -9495,7 +9497,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow httpd_sys_script_t httpd_t:tcp_socket { read write }; dontaudit httpd_sys_script_t httpd_config_t:dir search; -@@ -699,12 +858,24 @@ +@@ -699,12 +862,24 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -9522,7 +9524,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -712,6 +883,35 @@ +@@ -712,6 +887,35 @@ fs_read_nfs_symlinks(httpd_sys_script_t) ') @@ -9558,7 +9560,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -724,6 +924,10 @@ +@@ -724,6 +928,10 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -9569,7 +9571,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -735,6 +939,8 @@ +@@ -735,6 +943,8 @@ # httpd_rotatelogs local policy # @@ -9578,7 +9580,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) kernel_read_kernel_sysctls(httpd_rotatelogs_t) -@@ -754,6 +960,12 @@ +@@ -754,6 +964,12 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -9591,7 +9593,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') # allow accessing files/dirs below the users home dir -@@ -762,3 +974,66 @@ +@@ -762,3 +978,67 @@ userdom_search_user_home_dirs(httpd_suexec_t) userdom_search_user_home_dirs(httpd_user_script_t) ') @@ -9658,6 +9660,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t; +typealias httpd_sys_script_t alias httpd_fastcgi_script_t; +typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audioentropy.te serefpolicy-3.6.12/policy/modules/services/audioentropy.te --- nsaserefpolicy/policy/modules/services/audioentropy.te 2009-01-05 15:39:43.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/audioentropy.te 2009-04-23 09:44:57.000000000 -0400 @@ -9685,7 +9688,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.6.12/policy/modules/services/automount.te --- nsaserefpolicy/policy/modules/services/automount.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/automount.te 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/automount.te 2009-05-06 08:47:22.000000000 -0400 @@ -71,6 +71,7 @@ files_mounton_all_mountpoints(automount_t) files_mount_all_file_type_fs(automount_t) @@ -25238,7 +25241,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.12/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/xserver.te 2009-04-27 08:35:28.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/xserver.te 2009-05-06 08:50:01.000000000 -0400 @@ -34,6 +34,13 @@ ## @@ -25427,7 +25430,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xdm_t self:tcp_socket create_stream_socket_perms; allow xdm_t self:udp_socket create_socket_perms; allow xdm_t self:socket create_socket_perms; -@@ -314,6 +340,11 @@ +@@ -314,6 +340,13 @@ allow xdm_t self:key { search link write }; allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; @@ -25436,10 +25439,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t) +userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, file) ++#Handle mislabeled files in homedir ++userdom_delete_user_home_content_files(xdm_t) # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -329,22 +360,38 @@ +@@ -329,22 +362,38 @@ manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file }) @@ -25481,7 +25486,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xdm_t xserver_t:process signal; allow xdm_t xserver_t:unix_stream_socket connectto; -@@ -358,6 +405,7 @@ +@@ -358,6 +407,7 @@ allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; allow xdm_t xserver_t:shm rw_shm_perms; @@ -25489,7 +25494,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t,xserver_t) -@@ -366,10 +414,14 @@ +@@ -366,10 +416,14 @@ delete_files_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t) delete_sock_files_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t) @@ -25505,7 +25510,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(xdm_t) kernel_read_kernel_sysctls(xdm_t) -@@ -389,11 +441,13 @@ +@@ -389,11 +443,13 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -25519,7 +25524,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_rand(xdm_t) dev_read_sysfs(xdm_t) dev_getattr_framebuffer_dev(xdm_t) -@@ -401,6 +455,7 @@ +@@ -401,6 +457,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -25527,7 +25532,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -413,14 +468,17 @@ +@@ -413,14 +470,17 @@ dev_setattr_video_dev(xdm_t) dev_getattr_scanner_dev(xdm_t) dev_setattr_scanner_dev(xdm_t) @@ -25547,7 +25552,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -431,9 +489,13 @@ +@@ -431,9 +491,13 @@ files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -25561,7 +25566,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -442,6 +504,7 @@ +@@ -442,6 +506,7 @@ storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -25569,7 +25574,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_setattr_console(xdm_t) term_use_unallocated_ttys(xdm_t) -@@ -450,6 +513,7 @@ +@@ -450,6 +515,7 @@ auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) @@ -25577,7 +25582,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -460,10 +524,10 @@ +@@ -460,10 +526,10 @@ logging_read_generic_logs(xdm_t) @@ -25590,7 +25595,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -472,6 +536,8 @@ +@@ -472,6 +538,8 @@ # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -25599,7 +25604,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xserver_rw_session(xdm_t,xdm_tmpfs_t) xserver_unconfined(xdm_t) -@@ -504,10 +570,12 @@ +@@ -504,10 +572,12 @@ optional_policy(` alsa_domtrans(xdm_t) @@ -25612,7 +25617,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -515,12 +583,45 @@ +@@ -515,12 +585,45 @@ ') optional_policy(` @@ -25658,7 +25663,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol hostname_exec(xdm_t) ') -@@ -542,6 +643,23 @@ +@@ -542,6 +645,23 @@ ') optional_policy(` @@ -25682,7 +25687,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(xdm_t) ') -@@ -550,8 +668,9 @@ +@@ -550,8 +670,9 @@ ') optional_policy(` @@ -25694,7 +25699,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -560,7 +679,6 @@ +@@ -560,7 +681,6 @@ ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; ') @@ -25702,7 +25707,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` userhelper_dontaudit_search_config(xdm_t) -@@ -571,6 +689,10 @@ +@@ -571,6 +691,10 @@ ') optional_policy(` @@ -25713,7 +25718,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xfs_stream_connect(xdm_t) ') -@@ -587,7 +709,7 @@ +@@ -587,7 +711,7 @@ # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -25722,7 +25727,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit xserver_t self:capability chown; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:memprotect mmap_zero; -@@ -602,9 +724,11 @@ +@@ -602,9 +726,11 @@ allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -25734,7 +25739,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xserver_t { input_xevent_t input_xevent_type }:x_event send; -@@ -616,13 +740,14 @@ +@@ -616,13 +742,14 @@ type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t; allow xserver_t { rootwindow_t x_domain }:x_drawable send; @@ -25750,7 +25755,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -635,9 +760,19 @@ +@@ -635,9 +762,19 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -25770,7 +25775,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -680,9 +815,14 @@ +@@ -680,9 +817,14 @@ dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -25785,7 +25790,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) -@@ -697,8 +837,13 @@ +@@ -697,8 +839,13 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -25799,7 +25804,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -720,6 +865,7 @@ +@@ -720,6 +867,7 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -25807,7 +25812,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol modutils_domtrans_insmod(xserver_t) -@@ -742,7 +888,7 @@ +@@ -742,7 +890,7 @@ ') ifdef(`enable_mls',` @@ -25816,7 +25821,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh; ') -@@ -774,12 +920,16 @@ +@@ -774,12 +922,16 @@ ') optional_policy(` @@ -25834,7 +25839,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_domtrans(xserver_t) ') -@@ -806,7 +956,7 @@ +@@ -806,7 +958,7 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -25843,7 +25848,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -827,9 +977,14 @@ +@@ -827,9 +979,14 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -25858,7 +25863,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -844,11 +999,14 @@ +@@ -844,11 +1001,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -25874,7 +25879,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -856,6 +1014,11 @@ +@@ -856,6 +1016,11 @@ rhgb_rw_tmpfs_files(xserver_t) ') @@ -25886,7 +25891,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Rules common to all X window domains -@@ -881,6 +1044,8 @@ +@@ -881,6 +1046,8 @@ # X Server # can read server-owned resources allow x_domain xserver_t:x_resource read; @@ -25895,7 +25900,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # can mess with own clients allow x_domain self:x_client { manage destroy }; -@@ -905,6 +1070,8 @@ +@@ -905,6 +1072,8 @@ # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -25904,7 +25909,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # X Colormaps # can use the default colormap allow x_domain rootwindow_t:x_colormap { read use add_color }; -@@ -972,17 +1139,49 @@ +@@ -972,17 +1141,49 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -28200,16 +28205,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.12/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/mount.te 2009-04-23 09:44:57.000000000 -0400 -@@ -18,17 +18,21 @@ ++++ serefpolicy-3.6.12/policy/modules/system/mount.te 2009-05-06 07:59:38.000000000 -0400 +@@ -18,17 +18,22 @@ init_system_domain(mount_t,mount_exec_t) role system_r types mount_t; +-type mount_loopback_t; # customizable +-files_type(mount_loopback_t) +typealias mount_t alias mount_ntfs_t; +typealias mount_exec_t alias mount_ntfs_exec_t; + - type mount_loopback_t; # customizable - files_type(mount_loopback_t) ++type mount_loop_t; # customizable ++files_type(mount_loop_t) ++typealias mount_loop_t alias mount_loopback_t; type mount_tmp_t; files_tmp_file(mount_tmp_t) @@ -28226,7 +28234,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # -@@ -36,7 +40,8 @@ +@@ -36,9 +41,10 @@ # # setuid/setgid needed to mount cifs @@ -28234,9 +28242,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +allow mount_t self:capability { fsetid ipc_lock sys_rawio sys_resource sys_admin dac_override chown sys_tty_config setuid setgid }; +allow mount_t self:process { ptrace signal }; - allow mount_t mount_loopback_t:file read_file_perms; +-allow mount_t mount_loopback_t:file read_file_perms; ++allow mount_t mount_loop_t:file read_file_perms; -@@ -47,12 +52,25 @@ + allow mount_t mount_tmp_t:file manage_file_perms; + allow mount_t mount_tmp_t:dir manage_dir_perms; +@@ -47,12 +53,25 @@ files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir }) @@ -28262,7 +28273,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_rw_lvm_control(mount_t) dev_dontaudit_getattr_all_chr_files(mount_t) dev_dontaudit_getattr_memory_dev(mount_t) -@@ -62,16 +80,19 @@ +@@ -62,16 +81,19 @@ storage_raw_write_fixed_disk(mount_t) storage_raw_read_removable_device(mount_t) storage_raw_write_removable_device(mount_t) @@ -28285,7 +28296,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_use_all_terms(mount_t) -@@ -79,6 +100,7 @@ +@@ -79,6 +101,7 @@ corecmd_exec_bin(mount_t) domain_use_interactive_fds(mount_t) @@ -28293,7 +28304,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_search_all(mount_t) files_read_etc_files(mount_t) -@@ -87,7 +109,7 @@ +@@ -87,7 +110,7 @@ files_mounton_all_mountpoints(mount_t) files_unmount_rootfs(mount_t) # These rules need to be generalized. Only admin, initrc should have it: @@ -28302,7 +28313,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_mount_all_file_type_fs(mount_t) files_unmount_all_file_type_fs(mount_t) # for when /etc/mtab loses its type -@@ -100,6 +122,8 @@ +@@ -100,6 +123,8 @@ init_use_fds(mount_t) init_use_script_ptys(mount_t) init_dontaudit_getattr_initctl(mount_t) @@ -28311,7 +28322,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(mount_t) -@@ -116,6 +140,7 @@ +@@ -116,6 +141,7 @@ seutil_read_config(mount_t) userdom_use_all_users_fds(mount_t) @@ -28319,7 +28330,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_redhat',` optional_policy(` -@@ -133,7 +158,7 @@ +@@ -133,7 +159,7 @@ tunable_policy(`allow_mount_anyfile',` auth_read_all_dirs_except_shadow(mount_t) @@ -28328,7 +28339,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_mounton_non_security(mount_t) ') -@@ -141,16 +166,16 @@ +@@ -141,16 +167,16 @@ # for nfs corenet_all_recvfrom_unlabeled(mount_t) corenet_all_recvfrom_netlabel(mount_t) @@ -28353,7 +28364,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_generic_port(mount_t) corenet_udp_bind_generic_port(mount_t) corenet_tcp_bind_reserved_port(mount_t) -@@ -164,6 +189,8 @@ +@@ -164,6 +190,8 @@ fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -28362,7 +28373,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -171,6 +198,15 @@ +@@ -171,6 +199,15 @@ ') optional_policy(` @@ -28378,7 +28389,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -178,6 +214,11 @@ +@@ -178,6 +215,11 @@ ') ') @@ -28390,7 +28401,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # for kernel package installation optional_policy(` rpm_rw_pipes(mount_t) -@@ -185,14 +226,24 @@ +@@ -185,14 +227,24 @@ optional_policy(` samba_domtrans_smbmount(mount_t) @@ -30468,7 +30479,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-04-28 16:06:27.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-05-06 08:49:37.000000000 -0400 @@ -30,8 +30,9 @@ ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 734ce81..30db0f9 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.12 -Release: 29%{?dist} +Release: 30%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -477,6 +477,9 @@ exit 0 %endif %changelog +* Tue May 5 2009 Dan Walsh 3.6.12-30 +-Remove duplicate line + * Tue May 5 2009 Dan Walsh 3.6.12-29 - Allow svirt to manage pci and other sysfs device data