From 8b5e0426af840d5350891500ad85530b4c221ef9 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: May 23 2008 20:05:05 +0000 Subject: - Fix vncserver transition to work properly in unconfined environment. - Allow virsh to run --- diff --git a/policy-20071130.patch b/policy-20071130.patch index a806e2a..1522e21 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -2219,7 +2219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.3.1/policy/modules/admin/rpm.fc --- nsaserefpolicy/policy/modules/admin/rpm.fc 2008-02-26 08:23:10.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/admin/rpm.fc 2008-05-19 20:41:09.964376000 -0400 ++++ serefpolicy-3.3.1/policy/modules/admin/rpm.fc 2008-05-19 20:41:09.000000000 -0400 @@ -1,4 +1,5 @@ +/usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -2763,7 +2763,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s ####################################### diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.3.1/policy/modules/admin/sudo.if --- nsaserefpolicy/policy/modules/admin/sudo.if 2008-02-26 08:23:10.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/admin/sudo.if 2008-05-20 15:07:09.517883000 -0400 ++++ serefpolicy-3.3.1/policy/modules/admin/sudo.if 2008-05-20 15:07:09.000000000 -0400 @@ -55,7 +55,7 @@ # @@ -2873,7 +2873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te --- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2008-02-26 08:23:10.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te 2008-05-19 14:33:10.697566000 -0400 ++++ serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te 2008-05-19 14:33:10.000000000 -0400 @@ -26,8 +26,10 @@ files_read_etc_files(tmpreaper_t) files_read_var_lib_files(tmpreaper_t) @@ -5786,7 +5786,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-05-19 20:22:19.444823000 -0400 ++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-05-19 20:22:19.000000000 -0400 @@ -0,0 +1,210 @@ + +policy_module(nsplugin,1.0.0) @@ -7731,7 +7731,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain ## all protocols (TCP, UDP, etc) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.3.1/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2008-02-26 08:23:11.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/kernel/domain.te 2008-05-19 19:58:45.272900000 -0400 ++++ serefpolicy-3.3.1/policy/modules/kernel/domain.te 2008-05-19 19:58:45.000000000 -0400 @@ -5,6 +5,13 @@ # # Declarations @@ -7807,7 +7807,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # /emul diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.3.1/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2008-02-26 08:23:11.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/kernel/files.if 2008-05-19 14:32:53.055377000 -0400 ++++ serefpolicy-3.3.1/policy/modules/kernel/files.if 2008-05-19 14:32:53.000000000 -0400 @@ -110,6 +110,11 @@ ## # @@ -9112,7 +9112,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.3.1/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2008-02-26 08:23:10.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/apache.if 2008-05-19 19:29:34.369969000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/apache.if 2008-05-19 19:29:34.000000000 -0400 @@ -13,21 +13,16 @@ # template(`apache_content_template',` @@ -9695,7 +9695,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.3.1/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2008-02-26 08:23:10.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-05-19 19:30:26.515048000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-05-19 19:30:26.000000000 -0400 @@ -20,6 +20,8 @@ # Declarations # @@ -11785,7 +11785,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.3.1/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2008-02-26 08:23:10.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/consolekit.te 2008-05-19 13:51:15.433522000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/consolekit.te 2008-05-19 13:51:15.000000000 -0400 @@ -13,6 +13,9 @@ type consolekit_var_run_t; files_pid_file(consolekit_var_run_t) @@ -15861,7 +15861,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.3.1/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2008-02-26 08:23:10.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/hal.te 2008-05-19 14:24:22.375757000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/hal.te 2008-05-19 14:24:22.000000000 -0400 @@ -49,6 +49,9 @@ type hald_var_lib_t; files_type(hald_var_lib_t) @@ -19206,7 +19206,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pods + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/podsleuth.te serefpolicy-3.3.1/policy/modules/services/podsleuth.te --- nsaserefpolicy/policy/modules/services/podsleuth.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/podsleuth.te 2008-05-19 14:04:32.837090000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/podsleuth.te 2008-05-19 14:04:32.000000000 -0400 @@ -0,0 +1,73 @@ +policy_module(podsleuth,1.0.0) + @@ -19720,7 +19720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/port files_lock_file(portslave_lock_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.3.1/policy/modules/services/postfix.fc --- nsaserefpolicy/policy/modules/services/postfix.fc 2008-02-26 08:23:10.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/postfix.fc 2008-05-19 20:15:05.607591000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/postfix.fc 2008-05-19 20:15:05.000000000 -0400 @@ -29,12 +29,10 @@ /usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) /usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) @@ -20656,8 +20656,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.3.1/policy/modules/services/prelude.te --- nsaserefpolicy/policy/modules/services/prelude.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/prelude.te 2008-05-08 11:06:32.000000000 -0400 -@@ -0,0 +1,160 @@ ++++ serefpolicy-3.3.1/policy/modules/services/prelude.te 2008-05-21 09:26:44.017615000 -0400 +@@ -0,0 +1,162 @@ +policy_module(prelude,1.0.0) + +######################################## @@ -20710,6 +20710,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel +dev_read_rand(prelude_t) +dev_read_urand(prelude_t) + ++fs_rw_anon_inodefs_files(prelude_t) ++ +manage_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t) +manage_sock_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t) +files_pid_filetrans(prelude_t, prelude_var_run_t, file) @@ -20968,7 +20970,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.3.1/policy/modules/services/procmail.te --- nsaserefpolicy/policy/modules/services/procmail.te 2008-02-26 08:23:10.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/procmail.te 2008-05-20 14:38:46.558794000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/procmail.te 2008-05-20 14:38:46.000000000 -0400 @@ -14,6 +14,10 @@ type procmail_tmp_t; files_tmp_file(procmail_tmp_t) @@ -22672,7 +22674,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.3.1/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2008-02-26 08:23:10.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/samba.te 2008-05-19 20:37:48.275117000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/samba.te 2008-05-19 20:37:48.000000000 -0400 @@ -59,6 +59,13 @@ ## gen_tunable(samba_share_nfs,false) @@ -23099,7 +23101,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.3.1/policy/modules/services/sendmail.if --- nsaserefpolicy/policy/modules/services/sendmail.if 2008-02-26 08:23:10.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/sendmail.if 2008-05-20 16:49:39.433100000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/sendmail.if 2008-05-20 16:49:39.000000000 -0400 @@ -149,3 +149,104 @@ logging_log_filetrans($1,sendmail_log_t,file) @@ -23931,7 +23933,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.3.1/policy/modules/services/spamassassin.fc --- nsaserefpolicy/policy/modules/services/spamassassin.fc 2008-02-26 08:23:10.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/spamassassin.fc 2008-05-20 16:49:22.009675000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/spamassassin.fc 2008-05-20 16:49:22.000000000 -0400 @@ -1,4 +1,4 @@ -HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0) +HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:user_spamassassin_home_t,s0) @@ -23959,7 +23961,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +/etc/rc.d/init.d/spamd -- gen_context(system_u:object_r:spamd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.3.1/policy/modules/services/spamassassin.if --- nsaserefpolicy/policy/modules/services/spamassassin.if 2008-02-26 08:23:10.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/spamassassin.if 2008-05-20 14:40:41.765890000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/spamassassin.if 2008-05-20 14:40:41.000000000 -0400 @@ -34,10 +34,11 @@ # cjp: when tunables are available, spamc stuff should be # toggled on activation of spamc, and similarly for spamd. @@ -24528,7 +24530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.3.1/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2008-02-26 08:23:10.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/spamassassin.te 2008-05-20 17:09:45.819685000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/spamassassin.te 2008-05-20 17:09:45.000000000 -0400 @@ -21,8 +21,10 @@ gen_tunable(spamd_enable_home_dirs,true) @@ -28010,7 +28012,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.3.1/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2008-02-26 08:23:09.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/authlogin.if 2008-05-19 19:35:11.691946000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/authlogin.if 2008-05-19 19:35:11.000000000 -0400 @@ -56,10 +56,6 @@ miscfiles_read_localization($1_chkpwd_t) @@ -29185,7 +29187,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.fc serefpolicy-3.3.1/policy/modules/system/iscsi.fc --- nsaserefpolicy/policy/modules/system/iscsi.fc 2008-02-26 08:23:09.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/iscsi.fc 2008-05-19 15:04:22.244631000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/iscsi.fc 2008-05-19 15:04:22.000000000 -0400 @@ -1,5 +1,5 @@ /sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0) @@ -29411,7 +29413,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall -') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.3.1/policy/modules/system/logging.fc --- nsaserefpolicy/policy/modules/system/logging.fc 2008-02-26 08:23:09.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/logging.fc 2008-05-19 11:15:24.271305000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/logging.fc 2008-05-19 11:15:24.000000000 -0400 @@ -4,6 +4,8 @@ /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) @@ -29678,7 +29680,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.3.1/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2008-02-26 08:23:09.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/logging.te 2008-05-19 11:12:09.510711000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/logging.te 2008-05-19 11:12:09.000000000 -0400 @@ -61,10 +61,29 @@ logging_log_file(var_log_t) files_mountpoint(var_log_t) @@ -31967,14 +31969,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.3.1/policy/modules/system/unconfined.fc --- nsaserefpolicy/policy/modules/system/unconfined.fc 2008-02-26 08:23:09.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/unconfined.fc 2008-05-13 13:33:13.000000000 -0400 -@@ -2,15 +2,16 @@ ++++ serefpolicy-3.3.1/policy/modules/system/unconfined.fc 2008-05-21 12:57:26.790978000 -0400 +@@ -1,16 +1,17 @@ + # Add programs here which should not be confined by SELinux # e.g.: - # /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) +-# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) ++# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) # For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t -/usr/bin/qemu.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) /usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) - /usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0) +-/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0) /usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) @@ -31987,6 +31991,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +/usr/bin/rhythmbox -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) ++/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) +/usr/lib64/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +/usr/lib/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.3.1/policy/modules/system/unconfined.if @@ -32336,8 +32341,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.3.1/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2008-02-26 08:23:09.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-05-19 14:53:47.698966000 -0400 -@@ -6,35 +6,74 @@ ++++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-05-21 12:56:39.697504000 -0400 +@@ -6,35 +6,71 @@ # Declarations # @@ -32369,13 +32374,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf -userdom_manage_home_template(unconfined) -userdom_manage_tmp_template(unconfined) -userdom_manage_tmpfs_template(unconfined) +- +-type unconfined_exec_t; +-init_system_domain(unconfined_t, unconfined_exec_t) +userdom_restricted_user_template(unconfined) +userdom_common_user_template(unconfined) +#userdom_xwindows_client_template(unconfined) - - type unconfined_exec_t; - init_system_domain(unconfined_t, unconfined_exec_t) -+role unconfined_r types unconfined_t; + +domain_user_exemption_target(unconfined_t) +allow system_r unconfined_r; @@ -32391,6 +32395,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +type unconfined_notrans_exec_t; +init_system_domain(unconfined_notrans_t, unconfined_notrans_exec_t) +role unconfined_r types unconfined_notrans_t; ++typealias unconfined_notrans_exec_t alias unconfined_exec_t; + ######################################## # @@ -32416,7 +32421,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -@@ -42,37 +81,44 @@ +@@ -42,37 +78,44 @@ logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) @@ -32471,7 +32476,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -101,12 +147,24 @@ +@@ -101,12 +144,24 @@ ') optional_policy(` @@ -32496,7 +32501,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -118,11 +176,7 @@ +@@ -118,11 +173,7 @@ ') optional_policy(` @@ -32509,7 +32514,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -134,14 +188,6 @@ +@@ -134,14 +185,6 @@ ') optional_policy(` @@ -32524,7 +32529,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf oddjob_domtrans_mkhomedir(unconfined_t) ') -@@ -154,38 +200,45 @@ +@@ -154,38 +197,45 @@ ') optional_policy(` @@ -32583,7 +32588,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -193,23 +246,33 @@ +@@ -193,23 +243,33 @@ ') optional_policy(` @@ -32622,7 +32627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') ######################################## -@@ -219,14 +282,35 @@ +@@ -219,14 +279,35 @@ allow unconfined_execmem_t self:process { execstack execmem }; unconfined_domain_noaudit(unconfined_execmem_t) @@ -32678,7 +32683,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-26 08:23:09.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-05-20 15:06:31.300021000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-05-20 15:06:31.000000000 -0400 @@ -29,9 +29,14 @@ ') @@ -36336,7 +36341,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.i + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.3.1/policy/modules/system/virt.te --- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/virt.te 2008-05-19 20:18:47.086063000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/virt.te 2008-05-19 20:18:47.000000000 -0400 @@ -0,0 +1,198 @@ + +policy_module(virt,1.0.0) diff --git a/selinux-policy.spec b/selinux-policy.spec index 78a370e..1331043 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.3.1 -Release: 55%{?dist} +Release: 56%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -385,6 +385,10 @@ exit 0 %endif %changelog +* Wed May 21 2008 Dan Walsh 3.3.1-56 +- Fix vncserver transition to work properly in unconfined environment. +- Allow virsh to run + * Tue May 20 2008 Dan Walsh 3.3.1-55 - More fixes for spamassassin