diff --git a/policy-20071130.patch b/policy-20071130.patch index fde4db6..4775808 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -14490,7 +14490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. +cron_read_system_job_lib_files(hald_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.3.1/policy/modules/services/inetd.te --- nsaserefpolicy/policy/modules/services/inetd.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/inetd.te 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/inetd.te 2008-03-10 16:49:55.000000000 -0400 @@ -30,6 +30,10 @@ type inetd_child_var_run_t; files_pid_file(inetd_child_var_run_t) @@ -23383,7 +23383,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-03-10 14:41:25.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-03-10 16:54:19.000000000 -0400 @@ -12,9 +12,15 @@ ## ## @@ -23847,7 +23847,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; -@@ -542,25 +540,540 @@ +@@ -542,25 +540,541 @@ allow $2 xdm_tmp_t:sock_file { read write }; dontaudit $2 xdm_t:tcp_socket { read write }; @@ -23995,6 +23995,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + class x_synthetic_event all_x_synthetic_event_perms; + + attribute xdm_x_domain; ++ attribute xserver_unconfined_type; + ') + + allow $1 self:x_cursor { create use setattr }; @@ -24084,6 +24085,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + allow $1 input_xevent_t:{ x_event x_synthetic_event } receive; + allow $1 $1:{ x_event x_synthetic_event } { send receive }; + allow $1 default_xevent_t:x_event receive; ++ allow $1 default_xevent_t:x_synthetic_event send; + + # can receive certain root window events + allow $1 focus_xevent_t:x_event receive; @@ -24122,7 +24124,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + allow $1 xdm_xserver_t:x_device { getattr getfocus use setattr }; + allow $1 xdm_xserver_t:x_resource read; + allow $1 xdm_xserver_t:x_server grab; -+ +') + +####################################### @@ -24394,7 +24395,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ') -@@ -593,26 +1106,44 @@ +@@ -593,26 +1107,44 @@ # template(`xserver_use_user_fonts',` gen_require(` @@ -24446,15 +24447,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Transition to a user Xauthority domain. ## ## -@@ -638,10 +1169,77 @@ +@@ -638,10 +1170,77 @@ # template(`xserver_domtrans_user_xauth',` gen_require(` - type $1_xauth_t, xauth_exec_t; + type xauth_exec_t, xauth_t; - ') - -- domtrans_pattern($2, xauth_exec_t, $1_xauth_t) ++ ') ++ + domtrans_pattern($2, xauth_exec_t, xauth_t) +') + @@ -24519,14 +24519,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +template(`xserver_read_user_iceauth',` + gen_require(` + type user_iceauth_home_t; -+ ') -+ + ') + +- domtrans_pattern($2, xauth_exec_t, $1_xauth_t) + # Read .Iceauthority file + allow $2 user_iceauth_home_t:file { getattr read }; ') ######################################## -@@ -671,10 +1269,10 @@ +@@ -671,10 +1270,10 @@ # template(`xserver_user_home_dir_filetrans_user_xauth',` gen_require(` @@ -24539,7 +24540,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -760,7 +1358,7 @@ +@@ -760,7 +1359,7 @@ type xconsole_device_t; ') @@ -24548,7 +24549,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -860,6 +1458,25 @@ +@@ -860,6 +1459,25 @@ ######################################## ## @@ -24574,7 +24575,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Read xdm-writable configuration files. ## ## -@@ -914,6 +1531,7 @@ +@@ -914,6 +1532,7 @@ files_search_tmp($1) allow $1 xdm_tmp_t:dir list_dir_perms; create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t) @@ -24582,7 +24583,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -955,6 +1573,24 @@ +@@ -955,6 +1574,24 @@ ######################################## ## @@ -24607,7 +24608,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Execute the X server in the XDM X server domain. ## ## -@@ -965,15 +1601,47 @@ +@@ -965,15 +1602,47 @@ # interface(`xserver_domtrans_xdm_xserver',` gen_require(` @@ -24656,7 +24657,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -1123,7 +1791,7 @@ +@@ -1123,7 +1792,7 @@ type xdm_xserver_tmp_t; ') @@ -24665,7 +24666,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1312,3 +1980,83 @@ +@@ -1312,3 +1981,83 @@ files_search_tmp($1) stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 470e628..e9df41b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.3.1 -Release: 12%{?dist} +Release: 13%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -388,6 +388,9 @@ exit 0 %endif %changelog +* Mon Mar 10 2008 Dan Walsh 3.3.1-13 +- Additional changes for MLS policy + * Thu Mar 6 2008 Dan Walsh 3.3.1-12 - Fix initrc_context generation for MLS