From ceda8feb6846f9d7f24f0db09e559f075ce280fb Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mar 12 2008 12:39:48 +0000 Subject: - Change init_t to an unconfined_domain --- diff --git a/policy-20071130.patch b/policy-20071130.patch index 150e48e..0128f77 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -26326,7 +26326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.3.1/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2008-02-26 08:17:43.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/init.te 2008-03-12 08:33:31.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/init.te 2008-03-12 08:37:59.000000000 -0400 @@ -10,6 +10,20 @@ # Declarations # @@ -26461,20 +26461,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; -@@ -201,10 +239,9 @@ - allow initrc_t initrc_devpts_t:chr_file rw_term_perms; +@@ -198,13 +236,14 @@ + allow initrc_t self:udp_socket create_socket_perms; + allow initrc_t self:fifo_file rw_file_perms; + +-allow initrc_t initrc_devpts_t:chr_file rw_term_perms; ++allow init_t initrc_t:unix_dgram_socket sendto; ++ term_create_pty(initrc_t,initrc_devpts_t) -# Going to single user mode -init_exec(initrc_t) +init_telinit(initrc_t) ++init_chat(initrc_t) -can_exec(initrc_t,initrc_exec_t) +can_exec(initrc_t,initscript) manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t) manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t) -@@ -257,7 +294,7 @@ +@@ -257,7 +296,7 @@ dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) dev_setattr_all_chr_files(initrc_t) @@ -26483,7 +26489,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -283,7 +320,6 @@ +@@ -283,7 +322,6 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) @@ -26491,7 +26497,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t selinux_get_enforce_mode(initrc_t) -@@ -496,6 +532,31 @@ +@@ -496,6 +534,31 @@ ') ') @@ -26523,7 +26529,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -559,14 +620,6 @@ +@@ -559,14 +622,6 @@ ') optional_policy(` @@ -26538,7 +26544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ftp_read_config(initrc_t) ') -@@ -639,12 +692,6 @@ +@@ -639,12 +694,6 @@ mta_read_config(initrc_t) mta_dontaudit_read_spool_symlinks(initrc_t) ') @@ -26551,7 +26557,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` ifdef(`distro_redhat',` -@@ -705,6 +752,9 @@ +@@ -705,6 +754,9 @@ # why is this needed: rpm_manage_db(initrc_t) @@ -26561,7 +26567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -717,9 +767,11 @@ +@@ -717,9 +769,11 @@ squid_manage_logs(initrc_t) ') @@ -26576,7 +26582,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -738,6 +790,11 @@ +@@ -738,6 +792,11 @@ uml_setattr_util_sockets(initrc_t) ') @@ -26588,7 +26594,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` unconfined_domain(initrc_t) -@@ -752,6 +809,10 @@ +@@ -752,6 +811,10 @@ ') optional_policy(` @@ -26599,7 +26605,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t vmware_read_system_config(initrc_t) vmware_append_system_config(initrc_t) ') -@@ -774,3 +835,4 @@ +@@ -774,3 +837,4 @@ optional_policy(` zebra_read_config(initrc_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index ca00fb5..e7440ec 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.3.1 -Release: 15%{?dist} +Release: 16%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -388,6 +388,9 @@ exit 0 %endif %changelog +* Wed Mar 12 2008 Dan Walsh 3.3.1-16 +- Change init_t to an unconfined_domain + * Tue Mar 11 2008 Dan Walsh 3.3.1-15 - Allow init to transition to initrc_t on shell exec. - Fix init to be able to sendto init_t.