From 9152b4b298bfd76fa099b1802da06c3cd8b28357 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jul 31 2009 08:41:12 +0000 Subject: - Allow lircd read/write input event devices --- diff --git a/policy-20090521.patch b/policy-20090521.patch index 34b911a..c18d4d1 100644 --- a/policy-20090521.patch +++ b/policy-20090521.patch @@ -1368,7 +1368,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.12/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-06-25 10:19:44.000000000 +0200 -+++ serefpolicy-3.6.12/policy/modules/kernel/corenetwork.te.in 2009-06-25 10:21:01.000000000 +0200 ++++ serefpolicy-3.6.12/policy/modules/kernel/corenetwork.te.in 2009-07-31 09:37:03.000000000 +0200 @@ -134,7 +134,7 @@ network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0) type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon @@ -2087,6 +2087,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_list_admin_dir($1) role system_r types $1; ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.12/policy/modules/services/cron.te +--- nsaserefpolicy/policy/modules/services/cron.te 2009-06-25 10:19:44.000000000 +0200 ++++ serefpolicy-3.6.12/policy/modules/services/cron.te 2009-07-30 17:13:52.000000000 +0200 +@@ -440,7 +440,7 @@ + init_dontaudit_rw_utmp(system_cronjob_t) + # prelink tells init to restart it self, we either need to allow or dontaudit + init_telinit(system_cronjob_t) +-init_spec_domtrans_script(system_cronjob_t) ++init_domtrans_script(system_cronjob_t) + + auth_use_nsswitch(system_cronjob_t) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.12/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/cups.te 2009-07-07 09:04:11.000000000 +0200 @@ -2492,12 +2504,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kerberos_use(kpropd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.12/policy/modules/services/lircd.te --- nsaserefpolicy/policy/modules/services/lircd.te 2009-06-25 10:19:44.000000000 +0200 -+++ serefpolicy-3.6.12/policy/modules/services/lircd.te 2009-06-25 10:21:01.000000000 +0200 -@@ -45,6 +45,9 @@ ++++ serefpolicy-3.6.12/policy/modules/services/lircd.te 2009-07-30 17:14:36.000000000 +0200 +@@ -45,6 +45,10 @@ dev_filetrans(lircd_t, lircd_sock_t, sock_file ) dev_read_generic_usb_dev(lircd_t) +dev_filetrans_lirc(lircd_t) ++dev_rw_input_dev(lircd_t) +dev_rw_lirc(lircd_t) + logging_send_syslog_msg(lircd_t) @@ -4239,16 +4252,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.12/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2009-06-25 10:19:44.000000000 +0200 -+++ serefpolicy-3.6.12/policy/modules/system/libraries.fc 2009-07-15 09:44:42.000000000 +0200 -@@ -139,6 +139,7 @@ ++++ serefpolicy-3.6.12/policy/modules/system/libraries.fc 2009-07-31 09:55:41.000000000 +0200 +@@ -139,8 +139,10 @@ /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libjackserver\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/libnnz11.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -167,6 +168,8 @@ + /usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +@@ -167,6 +169,8 @@ /usr/lib(64)?/xorg/modules/drivers/nvidia_drv\.o -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -4257,7 +4273,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_debian',` /usr/lib32 -l gen_context(system_u:object_r:lib_t,s0) ') -@@ -190,6 +193,7 @@ +@@ -190,6 +194,7 @@ /usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -4265,7 +4281,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -284,6 +288,7 @@ +@@ -284,6 +289,7 @@ /usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) # vmware @@ -4273,7 +4289,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/vmware/lib(/.*)?/libgdk-x11-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -366,9 +371,10 @@ +@@ -329,6 +335,8 @@ + + /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0) + ++/var/named/chroot/usr/lib/bind(/.*)? gen_context(system_u:object_r:lib_t,s0) ++ + /var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) + + ifdef(`distro_suse',` +@@ -366,9 +374,10 @@ /usr/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -4308,6 +4333,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`sulogin_no_pam', ` allow sulogin_t self:capability sys_tty_config; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.6.12/policy/modules/system/miscfiles.fc +--- nsaserefpolicy/policy/modules/system/miscfiles.fc 2009-04-07 21:54:48.000000000 +0200 ++++ serefpolicy-3.6.12/policy/modules/system/miscfiles.fc 2009-07-30 17:46:06.000000000 +0200 +@@ -11,6 +11,7 @@ + /etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) + /etc/localtime -- gen_context(system_u:object_r:locale_t,s0) + /etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) ++/var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) + + ifdef(`distro_redhat',` + /etc/sysconfig/clock -- gen_context(system_u:object_r:locale_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.12/policy/modules/system/sysnetwork.te --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/system/sysnetwork.te 2009-07-17 09:43:41.000000000 +0200 @@ -4366,10 +4402,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + hal_dontaudit_rw_pipes(ifconfig_t) +') + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.6.12/policy/modules/system/udev.fc +--- nsaserefpolicy/policy/modules/system/udev.fc 2009-04-07 21:54:48.000000000 +0200 ++++ serefpolicy-3.6.12/policy/modules/system/udev.fc 2009-07-30 17:22:30.000000000 +0200 +@@ -5,6 +5,7 @@ + /etc/dev\.d/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0) + + /etc/hotplug\.d/default/udev.* -- gen_context(system_u:object_r:udev_helper_exec_t,s0) ++/etc/udev/rules\.d(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) + + /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.12/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2009-06-25 10:19:44.000000000 +0200 -+++ serefpolicy-3.6.12/policy/modules/system/udev.te 2009-06-25 10:21:01.000000000 +0200 -@@ -112,6 +112,7 @@ ++++ serefpolicy-3.6.12/policy/modules/system/udev.te 2009-07-30 17:17:23.000000000 +0200 +@@ -67,6 +67,7 @@ + + manage_dirs_pattern(udev_t,udev_var_run_t,udev_var_run_t) + manage_files_pattern(udev_t,udev_var_run_t,udev_var_run_t) ++manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) + files_pid_filetrans(udev_t,udev_var_run_t,{ dir file }) + + kernel_read_system_state(udev_t) +@@ -112,6 +113,7 @@ fs_getattr_all_fs(udev_t) fs_list_inotifyfs(udev_t) @@ -4377,7 +4432,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mcs_ptrace_all(udev_t) -@@ -196,6 +197,10 @@ +@@ -196,6 +198,10 @@ ') optional_policy(` @@ -4390,7 +4445,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-06-25 10:19:44.000000000 +0200 -+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-06-25 10:21:01.000000000 +0200 ++++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-07-31 09:32:45.000000000 +0200 @@ -627,12 +627,6 @@ ') @@ -4421,7 +4476,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol gnome_manage_config($1_usertype) gnome_manage_gconf_home_files($1_usertype) gnome_read_gconf_config($1_usertype) -@@ -1880,7 +1884,7 @@ +@@ -1457,6 +1461,7 @@ + ') + + allow $1 user_home_dir_t:dir search_dir_perms; ++ allow $1 user_home_dir_t:lnk_file read_lnk_file_perms; + files_search_home($1) + ') + +@@ -1880,7 +1885,7 @@ type user_home_t; ') @@ -4430,7 +4493,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3317,10 +3321,6 @@ +@@ -3317,10 +3322,6 @@ seutil_run_newrole($1_t, $1_r) optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index fb82d0c..e0551c1 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.12 -Release: 70%{?dist} +Release: 71%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -475,6 +475,9 @@ exit 0 %endif %changelog +* Fri Jul 31 2009 Miroslav Grepl 3.6.12-71 +- Allow lircd read/write input event devices + * Tue Jul 28 2009 Miroslav Grepl 3.6.12-70 - Dontaudit logrotate sys_ptrace capability - Allow mrtg to transition to ping_t