From bcc53daceda102a034fa3dc3be2542a5d5de25a6 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jun 30 2009 11:46:56 +0000 Subject: - Add rules for rtkit-daemon --- diff --git a/policy-F12.patch b/policy-F12.patch index 625e96a..ec51a2e 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -1701,8 +1701,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.6.20/policy/modules/apps/gitosis.if --- nsaserefpolicy/policy/modules/apps/gitosis.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.20/policy/modules/apps/gitosis.if 2009-06-26 14:09:22.000000000 -0400 -@@ -0,0 +1,94 @@ ++++ serefpolicy-3.6.20/policy/modules/apps/gitosis.if 2009-06-29 12:24:01.000000000 -0400 +@@ -0,0 +1,96 @@ +## gitosis interface + +####################################### @@ -1771,6 +1771,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + ') + ++ files_search_var_lib($1) + read_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) + read_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) + list_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) @@ -1793,6 +1794,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + ') + ++ files_search_var_lib($1) + manage_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) + manage_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) + manage_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) @@ -5444,7 +5446,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.20/policy/modules/kernel/corecommands.if --- nsaserefpolicy/policy/modules/kernel/corecommands.if 2009-06-26 13:59:17.000000000 -0400 -+++ serefpolicy-3.6.20/policy/modules/kernel/corecommands.if 2009-06-26 14:09:22.000000000 -0400 ++++ serefpolicy-3.6.20/policy/modules/kernel/corecommands.if 2009-06-29 08:33:09.000000000 -0400 @@ -893,6 +893,7 @@ read_lnk_files_pattern($1, bin_t, bin_t) @@ -5791,7 +5793,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type lvm_control_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.20/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2009-06-12 09:08:48.000000000 -0400 -+++ serefpolicy-3.6.20/policy/modules/kernel/domain.if 2009-06-26 14:09:22.000000000 -0400 ++++ serefpolicy-3.6.20/policy/modules/kernel/domain.if 2009-06-29 08:19:04.000000000 -0400 @@ -44,34 +44,6 @@ interface(`domain_type',` # start with basic domain @@ -5827,7 +5829,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1248,18 +1220,34 @@ +@@ -791,6 +763,24 @@ + + ######################################## + ## ++## Get the scheduler information of all domains. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`domain_getsched_all_domains',` ++ gen_require(` ++ attribute domain; ++ ') ++ ++ allow $1 domain:process getsched; ++') ++ ++######################################## ++## + ## Do not audit attempts to get the + ## session ID of all domains. + ## +@@ -1248,18 +1238,34 @@ ## ## # @@ -5865,7 +5892,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Allow specified type to receive labeled ## networking packets from all domains, over ## all protocols (TCP, UDP, etc) -@@ -1280,6 +1268,24 @@ +@@ -1280,6 +1286,24 @@ ######################################## ## @@ -13480,6 +13507,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + mta_manage_spool(dovecot_deliver_t) +') + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.6.20/policy/modules/services/fetchmail.te +--- nsaserefpolicy/policy/modules/services/fetchmail.te 2009-06-12 15:45:03.000000000 -0400 ++++ serefpolicy-3.6.20/policy/modules/services/fetchmail.te 2009-06-29 08:33:22.000000000 -0400 +@@ -47,6 +47,8 @@ + kernel_read_proc_symlinks(fetchmail_t) + kernel_dontaudit_read_system_state(fetchmail_t) + ++corecmd_exec_shell(fetchmail_t) ++ + corenet_all_recvfrom_unlabeled(fetchmail_t) + corenet_all_recvfrom_netlabel(fetchmail_t) + corenet_tcp_sendrecv_generic_if(fetchmail_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.fc serefpolicy-3.6.20/policy/modules/services/fprintd.fc --- nsaserefpolicy/policy/modules/services/fprintd.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.20/policy/modules/services/fprintd.fc 2009-06-26 14:09:22.000000000 -0400 @@ -19453,8 +19492,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.te serefpolicy-3.6.20/policy/modules/services/rtkit_daemon.te --- nsaserefpolicy/policy/modules/services/rtkit_daemon.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.20/policy/modules/services/rtkit_daemon.te 2009-06-26 14:09:22.000000000 -0400 -@@ -0,0 +1,33 @@ ++++ serefpolicy-3.6.20/policy/modules/services/rtkit_daemon.te 2009-06-29 08:19:15.000000000 -0400 +@@ -0,0 +1,36 @@ +policy_module(rtkit_daemon,1.0.0) + +######################################## @@ -19477,6 +19516,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +allow rtkit_daemon_t self:process { setsched getcap setcap setrlimit }; +allow rtkit_daemon_t self:capability sys_nice; + ++domain_getsched_all_domains(rtkit_daemon_t) ++domain_read_all_domains_state(rtkit_daemon_t) ++ +fs_rw_anon_inodefs_files(rtkit_daemon_t) + +auth_use_nsswitch(rtkit_daemon_t) @@ -22020,7 +22062,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.20/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2009-06-26 13:59:19.000000000 -0400 -+++ serefpolicy-3.6.20/policy/modules/services/ssh.te 2009-06-26 14:09:22.000000000 -0400 ++++ serefpolicy-3.6.20/policy/modules/services/ssh.te 2009-06-29 12:21:20.000000000 -0400 @@ -41,6 +41,9 @@ files_tmp_file(sshd_tmp_t) files_poly_parent(sshd_tmp_t) @@ -22124,7 +22166,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -318,16 +314,30 @@ +@@ -318,16 +314,34 @@ corenet_tcp_bind_xserver_port(sshd_t) corenet_sendrecv_xserver_server_packets(sshd_t) @@ -22153,11 +22195,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +optional_policy(` ++ gitosis_manage_var_lib(sshd_t) ++') ++ ++optional_policy(` + xserver_getattr_xauth(sshd_t) ') optional_policy(` -@@ -349,7 +359,11 @@ +@@ -349,7 +363,11 @@ ') optional_policy(` @@ -22170,7 +22216,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_shell_domtrans(sshd_t) ') -@@ -408,15 +422,13 @@ +@@ -408,15 +426,13 @@ init_use_fds(ssh_keygen_t) init_use_script_ptys(ssh_keygen_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 46902f0..373ff7b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.20 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -473,6 +473,9 @@ exit 0 %endif %changelog +* Tue Jun 30 2009 Dan Walsh 3.6.20-2 +- Add rules for rtkit-daemon + * Thu Jun 25 2009 Dan Walsh 3.6.20-1 - Update to upstream - Fix nlscd_stream_connect