diff --git a/policy-20071114.patch b/policy-20071114.patch index b194889..7b0b3ee 100644 --- a/policy-20071114.patch +++ b/policy-20071114.patch @@ -1256,7 +1256,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.1.2/policy/modules/admin/rpm.te --- nsaserefpolicy/policy/modules/admin/rpm.te 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.1.2/policy/modules/admin/rpm.te 2007-11-26 16:40:13.000000000 -0500 ++++ serefpolicy-3.1.2/policy/modules/admin/rpm.te 2007-11-28 10:57:00.000000000 -0500 @@ -139,6 +139,7 @@ auth_relabel_all_files_except_shadow(rpm_t) auth_manage_all_files_except_shadow(rpm_t) @@ -1287,7 +1287,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te ') optional_policy(` -@@ -289,6 +296,7 @@ +@@ -195,6 +202,7 @@ + unconfined_domain(rpm_t) + # yum-updatesd requires this + unconfined_dbus_chat(rpm_t) ++ unconfined_dbus_chat(rpm_script_t) + ') + + ifdef(`TODO',` +@@ -289,6 +297,7 @@ auth_dontaudit_getattr_shadow(rpm_script_t) # ideally we would not need this auth_manage_all_files_except_shadow(rpm_script_t) @@ -1295,7 +1303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te corecmd_exec_all_executables(rpm_script_t) -@@ -321,6 +329,7 @@ +@@ -321,6 +330,7 @@ seutil_domtrans_loadpolicy(rpm_script_t) seutil_domtrans_setfiles(rpm_script_t) seutil_domtrans_semanage(rpm_script_t) @@ -1303,7 +1311,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te userdom_use_all_users_fds(rpm_script_t) -@@ -339,10 +348,6 @@ +@@ -339,10 +349,6 @@ ') optional_policy(` @@ -2869,7 +2877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(postgrey, tcp,60000,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.1.2/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-11-14 16:20:13.000000000 -0500 -+++ serefpolicy-3.1.2/policy/modules/kernel/devices.fc 2007-11-26 16:40:13.000000000 -0500 ++++ serefpolicy-3.1.2/policy/modules/kernel/devices.fc 2007-11-28 10:30:00.000000000 -0500 @@ -4,6 +4,7 @@ /dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0) @@ -2896,18 +2904,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0) /dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0) /dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0) -@@ -30,7 +34,10 @@ +@@ -30,6 +34,8 @@ /dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) +/dev/kvm -c gen_context(system_u:object_r:kvm_device_t,s0) +/dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0) -+/dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) - /dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) -@@ -114,9 +121,14 @@ +@@ -114,9 +120,14 @@ /dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0) /dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0) @@ -4610,8 +4616,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron +/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.1.2/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.1.2/policy/modules/services/cron.if 2007-11-26 16:40:13.000000000 -0500 -@@ -35,6 +35,7 @@ ++++ serefpolicy-3.1.2/policy/modules/services/cron.if 2007-11-28 08:46:16.000000000 -0500 +@@ -35,38 +35,23 @@ # template(`cron_per_role_template',` gen_require(` @@ -4619,10 +4625,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron attribute cron_spool_type; type crond_t, cron_spool_t, crontab_exec_t; ') -@@ -44,29 +45,13 @@ ++ typealias $1_t alias $1_crond_t; + + # Type of user crontabs once moved to cron spool. + type $1_cron_spool_t, cron_spool_type; files_type($1_cron_spool_t) - type $1_crond_t; +- type $1_crond_t; - domain_type($1_crond_t) - domain_cron_exemption_target($1_crond_t) - corecmd_shell_entry_type($1_crond_t) @@ -4815,7 +4824,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron tunable_policy(`fcron_crond',` # fcron wants an instant update of a crontab change for the administrator -@@ -438,6 +333,25 @@ +@@ -285,14 +180,12 @@ + template(`cron_admin_template',` + gen_require(` + attribute cron_spool_type; +- type $1_crontab_t, $1_crond_t; ++ type $1_crontab_t; + ') + + # Allow our crontab domain to unlink a user cron spool file. + allow $1_crontab_t cron_spool_type:file { getattr read unlink }; + +- logging_read_generic_logs($1_crond_t) +- + # Manipulate other users crontab. + selinux_get_fs_mount($1_crontab_t) + selinux_validate_context($1_crontab_t) +@@ -438,6 +331,25 @@ ######################################## ## @@ -5054,8 +5079,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ifdef(`TODO',` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.1.2/policy/modules/services/cups.fc --- nsaserefpolicy/policy/modules/services/cups.fc 2007-11-16 15:30:49.000000000 -0500 -+++ serefpolicy-3.1.2/policy/modules/services/cups.fc 2007-11-26 16:40:13.000000000 -0500 -@@ -8,17 +8,14 @@ ++++ serefpolicy-3.1.2/policy/modules/services/cups.fc 2007-11-28 08:28:27.000000000 -0500 +@@ -8,17 +8,15 @@ /etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -5068,13 +5093,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups /etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) ++/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0) -/usr/lib(64)?/cups/backend/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0) -/usr/lib(64)?/cups/daemon/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0) /usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) /usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) -@@ -26,6 +23,11 @@ +@@ -26,6 +24,11 @@ /usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0) /usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) /usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0) @@ -5086,7 +5112,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups /usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) /usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0) /usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0) -@@ -33,7 +35,7 @@ +@@ -33,7 +36,7 @@ /usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) /usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -5095,7 +5121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups /var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -@@ -50,3 +52,6 @@ +@@ -50,3 +53,6 @@ /var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0) /var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) @@ -9312,7 +9338,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.1.2/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.1.2/policy/modules/services/sendmail.te 2007-11-26 16:40:13.000000000 -0500 ++++ serefpolicy-3.1.2/policy/modules/services/sendmail.te 2007-11-28 07:25:24.000000000 -0500 @@ -20,19 +20,22 @@ mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) @@ -9347,7 +9373,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send corenet_all_recvfrom_unlabeled(sendmail_t) corenet_all_recvfrom_netlabel(sendmail_t) corenet_tcp_sendrecv_all_if(sendmail_t) -@@ -94,30 +99,32 @@ +@@ -94,30 +99,33 @@ miscfiles_read_certs(sendmail_t) miscfiles_read_localization(sendmail_t) @@ -9356,6 +9382,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send - userdom_dontaudit_use_unpriv_user_fds(sendmail_t) userdom_dontaudit_search_sysadm_home_dirs(sendmail_t) ++userdom_read_all_users_home_content_files(sendmail_t) mta_read_config(sendmail_t) mta_etc_filetrans_aliases(sendmail_t) @@ -9386,7 +9413,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send ') optional_policy(` -@@ -131,10 +138,18 @@ +@@ -131,10 +139,18 @@ ') optional_policy(` @@ -9405,7 +9432,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send udev_read_db(sendmail_t) ') -@@ -156,3 +171,15 @@ +@@ -156,3 +172,15 @@ dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl }; ') dnl end TODO @@ -13007,6 +13034,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu optional_policy(` hotplug_use_fds(setfiles_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.1.2/policy/modules/system/sysnetwork.fc +--- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2006-11-16 17:15:24.000000000 -0500 ++++ serefpolicy-3.1.2/policy/modules/system/sysnetwork.fc 2007-11-28 11:55:44.000000000 -0500 +@@ -52,8 +52,7 @@ + /var/lib/dhcpcd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) + /var/lib/dhclient(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) + +-/var/run/dhclient.*\.pid -- gen_context(system_u:object_r:dhcpc_var_run_t,s0) +-/var/run/dhclient.*\.leases -- gen_context(system_u:object_r:dhcpc_var_run_t,s0) ++/var/run/dhclient.* -- gen_context(system_u:object_r:dhcpc_var_run_t,s0) + + ifdef(`distro_gentoo',` + /var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.1.2/policy/modules/system/sysnetwork.if --- nsaserefpolicy/policy/modules/system/sysnetwork.if 2007-07-16 14:09:49.000000000 -0400 +++ serefpolicy-3.1.2/policy/modules/system/sysnetwork.if 2007-11-26 16:40:13.000000000 -0500 @@ -13484,7 +13524,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.1.2/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2007-11-16 15:30:49.000000000 -0500 -+++ serefpolicy-3.1.2/policy/modules/system/unconfined.te 2007-11-26 16:40:13.000000000 -0500 ++++ serefpolicy-3.1.2/policy/modules/system/unconfined.te 2007-11-28 08:47:02.000000000 -0500 @@ -16,6 +16,10 @@ type unconfined_exec_t; @@ -13545,17 +13585,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf unconfined_domain(httpd_unconfined_script_t) ') -@@ -73,6 +87,9 @@ +@@ -71,8 +85,8 @@ + + optional_policy(` cron_per_role_template(unconfined, unconfined_t, unconfined_r) - # this is disallowed usage: - unconfined_domain(unconfined_crond_t) +- # this is disallowed usage: +- unconfined_domain(unconfined_crond_t) + unconfined_domain(unconfined_crontab_t) + role system_r types unconfined_crontab_t; -+ rpm_transition_script(unconfined_crond_t) ') optional_policy(` -@@ -107,6 +124,10 @@ +@@ -107,6 +121,10 @@ optional_policy(` oddjob_dbus_chat(unconfined_t) ') @@ -13566,7 +13607,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -118,11 +139,11 @@ +@@ -118,11 +136,11 @@ ') optional_policy(` @@ -13580,7 +13621,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -134,11 +155,7 @@ +@@ -134,11 +152,7 @@ ') optional_policy(` @@ -13593,7 +13634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -154,33 +171,20 @@ +@@ -154,33 +168,20 @@ ') optional_policy(` @@ -13631,7 +13672,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -205,11 +209,22 @@ +@@ -205,11 +206,22 @@ ') optional_policy(` @@ -13656,7 +13697,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') ######################################## -@@ -219,14 +234,26 @@ +@@ -219,14 +231,26 @@ allow unconfined_execmem_t self:process { execstack execmem }; unconfined_domain_noaudit(unconfined_execmem_t) @@ -13694,7 +13735,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo /tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.1.2/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-14 08:17:58.000000000 -0500 -+++ serefpolicy-3.1.2/policy/modules/system/userdomain.if 2007-11-26 22:54:17.000000000 -0500 ++++ serefpolicy-3.1.2/policy/modules/system/userdomain.if 2007-11-28 07:19:08.000000000 -0500 @@ -29,8 +29,9 @@ ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 221e81f..5348872 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.1.2 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -379,6 +379,9 @@ exit 0 %endif %changelog +* Wed Nov 28 2007 Dan Walsh 3.1.2-2 +- Remove user specific crond_t + * Mon Nov 19 2007 Dan Walsh 3.1.2-1 - Merge with upstream - Allow xsever to read hwdata_t