From d9707eeae9e8b111f511784fb7d8785259380f4f Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Dec 03 2007 03:29:59 +0000 Subject: - Allow xdm to list all filesystem directories --- diff --git a/policy-20070703.patch b/policy-20070703.patch index db6bd87..6c6c8ba 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -14382,7 +14382,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-12-02 21:15:34.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-12-02 22:01:51.000000000 -0500 @@ -16,6 +16,13 @@ ## @@ -14435,12 +14435,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -132,15 +147,20 @@ +@@ -132,15 +147,21 @@ manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) +fs_rw_tmpfs_files(xdm_xserver_t) +fs_getattr_all_fs(xdm_t) ++fs_list_all(xdm_t) manage_dirs_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t) manage_files_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t) @@ -14457,7 +14458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xdm_t xdm_xserver_t:process signal; allow xdm_t xdm_xserver_t:unix_stream_socket connectto; -@@ -185,6 +205,7 @@ +@@ -185,6 +206,7 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_all_nodes(xdm_t) corenet_udp_bind_all_nodes(xdm_t) @@ -14465,7 +14466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser corenet_tcp_connect_all_ports(xdm_t) corenet_sendrecv_all_client_packets(xdm_t) # xdm tries to bind to biff_port_t -@@ -197,6 +218,7 @@ +@@ -197,6 +219,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -14473,7 +14474,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -209,8 +231,8 @@ +@@ -209,8 +232,8 @@ dev_setattr_video_dev(xdm_t) dev_getattr_scanner_dev(xdm_t) dev_setattr_scanner_dev(xdm_t) @@ -14484,7 +14485,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_getattr_power_mgmt_dev(xdm_t) dev_setattr_power_mgmt_dev(xdm_t) -@@ -246,6 +268,7 @@ +@@ -246,6 +269,7 @@ auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) @@ -14492,7 +14493,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -257,6 +280,7 @@ +@@ -257,6 +281,7 @@ libs_exec_lib_files(xdm_t) logging_read_generic_logs(xdm_t) @@ -14500,7 +14501,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser miscfiles_read_localization(xdm_t) miscfiles_read_fonts(xdm_t) -@@ -268,9 +292,14 @@ +@@ -268,9 +293,14 @@ userdom_create_all_users_keys(xdm_t) # for .dmrc userdom_read_unpriv_users_home_content_files(xdm_t) @@ -14515,7 +14516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t) -@@ -306,6 +335,11 @@ +@@ -306,6 +336,11 @@ optional_policy(` consolekit_dbus_chat(xdm_t) @@ -14527,7 +14528,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -313,6 +347,10 @@ +@@ -313,6 +348,10 @@ ') optional_policy(` @@ -14538,7 +14539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Talk to the console mouse server. gpm_stream_connect(xdm_t) gpm_setattr_gpmctl(xdm_t) -@@ -348,12 +386,8 @@ +@@ -348,12 +387,8 @@ ') optional_policy(` @@ -14552,7 +14553,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; -@@ -385,7 +419,7 @@ +@@ -385,7 +420,7 @@ allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xdm_xserver_t xdm_var_lib_t:dir search; @@ -14561,7 +14562,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t) -@@ -397,6 +431,15 @@ +@@ -397,6 +432,15 @@ can_exec(xdm_xserver_t, xkb_var_lib_t) files_search_var_lib(xdm_xserver_t) @@ -14577,7 +14578,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # VNC v4 module in X server corenet_tcp_bind_vnc_port(xdm_xserver_t) -@@ -425,6 +468,14 @@ +@@ -425,6 +469,14 @@ ') optional_policy(` @@ -14592,7 +14593,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser resmgr_stream_connect(xdm_t) ') -@@ -434,47 +485,26 @@ +@@ -434,47 +486,26 @@ ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index dc2f9b7..fd20e5b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.0.8 -Release: 63%{?dist} +Release: 64%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -381,6 +381,9 @@ exit 0 %endif %changelog +* Sun Dec 2 2007 Dan Walsh 3.0.8-64 +- Allow xdm to list all filesystem directories + * Wed Nov 28 2007 Dan Walsh 3.0.8-63 - Change labeling on hpijs - Fix unconfined_u defintion