diff --git a/policy-F12.patch b/policy-F12.patch index 4e4ef1f..b186c37 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -4272,7 +4272,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol #network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.26/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/kernel/devices.fc 2009-07-30 15:33:08.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/kernel/devices.fc 2009-08-03 06:30:31.000000000 -0400 @@ -47,8 +47,10 @@ /dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) @@ -4284,9 +4284,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) +@@ -82,6 +84,7 @@ + /dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0) + /dev/random -c gen_context(system_u:object_r:random_device_t,s0) + /dev/raw1394.* -c gen_context(system_u:object_r:v4l_device_t,s0) ++/dev/rfkill -c gen_context(system_u:object_r:wireless_device_t,s0) + /dev/(misc/)?rtc[0-9]* -c gen_context(system_u:object_r:clock_device_t,s0) + /dev/sequencer -c gen_context(system_u:object_r:sound_device_t,s0) + /dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.26/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/kernel/devices.if 2009-07-30 15:33:08.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/kernel/devices.if 2009-08-03 06:30:19.000000000 -0400 @@ -1655,6 +1655,78 @@ ######################################## @@ -4428,7 +4436,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Read the lvm comtrol device. -@@ -2268,6 +2395,25 @@ +@@ -2232,6 +2359,24 @@ + + ######################################## + ## ++## Read and write the the wireless device. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_wireless',` ++ gen_require(` ++ type device_t, wireless_device_t; ++ ') ++ ++ rw_chr_files_pattern($1, device_t, wireless_device_t) ++') ++ ++######################################## ++## + ## Get the attributes of the null device nodes. + ## + ## +@@ -2268,6 +2413,25 @@ ######################################## ## @@ -4456,7 +4489,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.26/policy/modules/kernel/devices.te --- nsaserefpolicy/policy/modules/kernel/devices.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/kernel/devices.te 2009-07-30 15:33:08.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/kernel/devices.te 2009-08-03 06:30:00.000000000 -0400 @@ -84,6 +84,13 @@ dev_node(kmsg_device_t) @@ -4484,9 +4517,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Type for /dev/mapper/control # type lvm_control_t; +@@ -224,6 +237,12 @@ + type watchdog_device_t; + dev_node(watchdog_device_t) + ++# ++# wireless control devices ++# ++type wireless_device_t; ++dev_node(wireless_device_t) ++ + type xen_device_t; + dev_node(xen_device_t) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.26/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/kernel/domain.if 2009-07-30 15:33:08.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/kernel/domain.if 2009-08-03 08:04:07.000000000 -0400 @@ -44,34 +44,6 @@ interface(`domain_type',` # start with basic domain @@ -8774,7 +8820,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.26/policy/modules/services/bluetooth.te --- nsaserefpolicy/policy/modules/services/bluetooth.te 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/services/bluetooth.te 2009-07-30 15:33:08.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/services/bluetooth.te 2009-08-03 06:30:22.000000000 -0400 @@ -64,6 +64,7 @@ allow bluetooth_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow bluetooth_t self:tcp_socket create_stream_socket_perms; @@ -8783,6 +8829,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t) +@@ -111,6 +112,7 @@ + dev_rw_generic_usb_dev(bluetooth_t) + dev_read_urand(bluetooth_t) + dev_rw_input_dev(bluetooth_t) ++dev_rw_wireless(bluetooth_t) + + fs_getattr_all_fs(bluetooth_t) + fs_search_auto_mountpoints(bluetooth_t) +@@ -154,6 +156,10 @@ + ') + + optional_policy(` ++ networkmanager_dbus_chat(bluetooth_t) ++ ') ++ ++ optional_policy(` + pulseaudio_dbus_chat(bluetooth_t) + ') + ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.6.26/policy/modules/services/certmaster.te --- nsaserefpolicy/policy/modules/services/certmaster.te 2009-07-14 14:19:57.000000000 -0400 +++ serefpolicy-3.6.26/policy/modules/services/certmaster.te 2009-07-30 15:33:08.000000000 -0400 @@ -11092,17 +11157,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.26/policy/modules/services/mysql.te --- nsaserefpolicy/policy/modules/services/mysql.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/services/mysql.te 2009-07-30 15:33:09.000000000 -0400 -@@ -136,6 +136,8 @@ ++++ serefpolicy-3.6.26/policy/modules/services/mysql.te 2009-08-03 08:06:57.000000000 -0400 +@@ -136,7 +136,12 @@ domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t) +allow mysqld_safe_t mysqld_var_run_t:sock_file unlink; + allow mysqld_safe_t mysqld_log_t:file manage_file_perms; ++ ++domain_getattr_all_domains(mysqld_safe_t) ++ logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) -@@ -152,7 +154,7 @@ + kernel_read_system_state(mysqld_safe_t) +@@ -152,7 +157,7 @@ miscfiles_read_localization(mysqld_safe_t) @@ -12408,7 +12477,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.6.26/policy/modules/services/policykit.if --- nsaserefpolicy/policy/modules/services/policykit.if 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/services/policykit.if 2009-07-30 15:33:09.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/services/policykit.if 2009-08-03 06:44:10.000000000 -0400 @@ -17,6 +17,8 @@ class dbus send_msg; ') @@ -12418,7 +12487,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1 policykit_t:dbus send_msg; allow policykit_t $1:dbus send_msg; ') -@@ -167,7 +169,7 @@ +@@ -41,7 +43,6 @@ + + ######################################## + ## +-## Execute a policy_auth in the policy_auth domain, and + ## allow the specified role the policy_auth domain, + ## + ## +@@ -167,7 +168,7 @@ domtrans_pattern($1, policykit_resolve_exec_t, policykit_resolve_t) @@ -12427,7 +12504,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -206,4 +208,30 @@ +@@ -206,4 +207,47 @@ files_search_var_lib($1) read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t) @@ -12457,10 +12534,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + policykit_read_lib($2) + policykit_read_reload($2) + policykit_dbus_chat($2) ++') ++######################################## ++## ++## Send generic signal to policy_auth ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`policykit_signal_auth',` ++ gen_require(` ++ type policykit_auth_t; ++ ') ++ ++ allow $1 policykit_auth_t:process signal; ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.26/policy/modules/services/policykit.te --- nsaserefpolicy/policy/modules/services/policykit.te 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/services/policykit.te 2009-07-30 15:33:09.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/services/policykit.te 2009-08-03 06:50:17.000000000 -0400 @@ -38,9 +38,10 @@ allow policykit_t self:capability { setgid setuid }; @@ -12500,7 +12594,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # polkit_auth local policy -@@ -77,7 +89,8 @@ +@@ -77,12 +89,15 @@ allow policykit_auth_t self:capability setgid; allow policykit_auth_t self:process getattr; @@ -12510,27 +12604,37 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow policykit_auth_t self:unix_dgram_socket create_socket_perms; allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms; -@@ -104,6 +117,8 @@ ++policykit_dbus_chat(policykit_auth_t) ++ + can_exec(policykit_auth_t, policykit_auth_exec_t) +-corecmd_search_bin(policykit_auth_t) ++corecmd_exec_bin(policykit_auth_t) + + rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t) + +@@ -104,6 +119,7 @@ userdom_dontaudit_read_user_home_content_files(policykit_auth_t) optional_policy(` + dbus_system_domain( policykit_auth_t, policykit_auth_exec_t) -+ dbus_session_bus_client(policykit_auth_t) optional_policy(` -@@ -116,6 +131,10 @@ +@@ -116,6 +132,13 @@ hal_read_state(policykit_auth_t) ') +optional_policy(` ++ xserver_stream_connect(policykit_auth_t) + xserver_xdm_append_log(policykit_auth_t) ++ xserver_read_xdm_pid(policykit_auth_t) ++ xserver_search_xdm_lib(policykit_auth_t) +') + ######################################## # # polkit_grant local policy -@@ -123,7 +142,8 @@ +@@ -123,7 +146,8 @@ allow policykit_grant_t self:capability setuid; allow policykit_grant_t self:process getattr; @@ -12540,7 +12644,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow policykit_grant_t self:unix_dgram_socket create_socket_perms; allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms; -@@ -153,9 +173,12 @@ +@@ -153,9 +177,12 @@ userdom_read_all_users_state(policykit_grant_t) optional_policy(` @@ -12554,7 +12658,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol consolekit_dbus_chat(policykit_grant_t) ') ') -@@ -167,7 +190,8 @@ +@@ -167,7 +194,8 @@ allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace }; allow policykit_resolve_t self:process getattr; @@ -13686,8 +13790,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.26/policy/modules/services/ricci.te --- nsaserefpolicy/policy/modules/services/ricci.te 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/services/ricci.te 2009-07-30 15:33:09.000000000 -0400 -@@ -440,6 +440,10 @@ ++++ serefpolicy-3.6.26/policy/modules/services/ricci.te 2009-08-03 07:21:27.000000000 -0400 +@@ -264,6 +264,7 @@ + allow ricci_modclusterd_t self:socket create_socket_perms; + + allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto; ++allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms; + + # log files + allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr; +@@ -440,6 +441,10 @@ files_read_usr_files(ricci_modstorage_t) files_read_kernel_modules(ricci_modstorage_t) @@ -16957,7 +17069,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.26/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/services/xserver.if 2009-07-30 15:33:09.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/services/xserver.if 2009-08-03 06:49:41.000000000 -0400 @@ -90,7 +90,7 @@ allow $2 xauth_home_t:file manage_file_perms; allow $2 xauth_home_t:file { relabelfrom relabelto }; @@ -17105,7 +17217,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -756,7 +757,26 @@ +@@ -756,7 +757,44 @@ ') files_search_pids($1) @@ -17130,10 +17242,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + files_search_pids($1) + manage_files_pattern($1, xdm_var_run_t, xdm_var_run_t) ++') ++ ++######################################## ++## ++## Search XDM var lib dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_search_xdm_lib',` ++ gen_require(` ++ type xdm_var_lib_t; ++ ') ++ ++ allow $1 xdm_var_lib_t:dir search_dir_perms; ') ######################################## -@@ -779,6 +799,50 @@ +@@ -779,6 +817,50 @@ ######################################## ## @@ -17184,7 +17314,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -797,6 +861,24 @@ +@@ -797,6 +879,24 @@ ######################################## ## @@ -17209,7 +17339,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Execute an X session in the target domain. This ## is an explicit transition, requiring the ## caller to use setexeccon(). -@@ -872,6 +954,27 @@ +@@ -872,6 +972,27 @@ ######################################## ## @@ -17237,7 +17367,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to write the X server ## log files. ## -@@ -1018,10 +1121,11 @@ +@@ -1018,10 +1139,11 @@ # interface(`xserver_domtrans',` gen_require(` @@ -17250,7 +17380,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domtrans_pattern($1, xserver_exec_t, xserver_t) ') -@@ -1159,6 +1263,276 @@ +@@ -1159,6 +1281,276 @@ ######################################## ## @@ -17527,7 +17657,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain complete control over the ## display. -@@ -1172,7 +1546,103 @@ +@@ -1172,7 +1564,103 @@ interface(`xserver_unconfined',` gen_require(` attribute xserver_unconfined_type; @@ -17564,7 +17694,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $2 $1:x_drawable all_x_drawable_perms; + allow $1 $2:x_resource all_x_resource_perms; + allow $2 $1:x_resource all_x_resource_perms; -+') + ') + +####################################### +## @@ -17589,7 +17719,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + class x_selection all_x_selection_perms; + class x_event all_x_event_perms; + class x_synthetic_event all_x_synthetic_event_perms; - ') ++') + + # Type attributes + typeattribute $1 x_domain; @@ -17633,7 +17763,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.26/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/services/xserver.te 2009-07-30 15:33:09.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/services/xserver.te 2009-08-03 06:43:20.000000000 -0400 @@ -34,6 +34,13 @@ ## @@ -18060,7 +18190,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol hostname_exec(xdm_t) ') -@@ -542,6 +650,29 @@ +@@ -542,6 +650,30 @@ ') optional_policy(` @@ -18068,6 +18198,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + policykit_domtrans_auth(xdm_t) + policykit_read_lib(xdm_t) + policykit_read_reload(xdm_t) ++ policykit_signal_auth(xdm_t) +') + +optional_policy(` @@ -18090,7 +18221,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(xdm_t) ') -@@ -550,8 +681,9 @@ +@@ -550,8 +682,9 @@ ') optional_policy(` @@ -18102,7 +18233,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -560,7 +692,6 @@ +@@ -560,7 +693,6 @@ ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; ') @@ -18110,7 +18241,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` userhelper_dontaudit_search_config(xdm_t) -@@ -571,6 +702,10 @@ +@@ -571,6 +703,10 @@ ') optional_policy(` @@ -18121,7 +18252,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xfs_stream_connect(xdm_t) ') -@@ -587,10 +722,9 @@ +@@ -587,10 +723,9 @@ # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -18133,7 +18264,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; allow xserver_t self:sock_file read_sock_file_perms; -@@ -602,9 +736,11 @@ +@@ -602,9 +737,11 @@ allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -18145,7 +18276,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xserver_t { input_xevent_t input_xevent_type }:x_event send; -@@ -616,13 +752,14 @@ +@@ -616,13 +753,14 @@ type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t; allow xserver_t { rootwindow_t x_domain }:x_drawable send; @@ -18161,7 +18292,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -635,9 +772,19 @@ +@@ -635,9 +773,19 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -18181,7 +18312,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -680,9 +827,12 @@ +@@ -680,9 +828,12 @@ dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -18195,7 +18326,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) -@@ -697,8 +847,12 @@ +@@ -697,8 +848,12 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -18208,7 +18339,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -720,6 +874,7 @@ +@@ -720,6 +875,7 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -18216,7 +18347,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol modutils_domtrans_insmod(xserver_t) -@@ -742,7 +897,7 @@ +@@ -742,7 +898,7 @@ ') ifdef(`enable_mls',` @@ -18225,7 +18356,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh; ') -@@ -774,12 +929,20 @@ +@@ -774,12 +930,20 @@ ') optional_policy(` @@ -18247,7 +18378,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_domtrans(xserver_t) ') -@@ -806,7 +969,7 @@ +@@ -806,7 +970,7 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -18256,7 +18387,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -827,9 +990,14 @@ +@@ -827,9 +991,14 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -18271,7 +18402,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -844,11 +1012,14 @@ +@@ -844,11 +1013,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -18287,7 +18418,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -881,6 +1052,8 @@ +@@ -881,6 +1053,8 @@ # X Server # can read server-owned resources allow x_domain xserver_t:x_resource read; @@ -18296,7 +18427,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # can mess with own clients allow x_domain self:x_client { manage destroy }; -@@ -905,6 +1078,8 @@ +@@ -905,6 +1079,8 @@ # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -18305,7 +18436,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # X Colormaps # can use the default colormap allow x_domain rootwindow_t:x_colormap { read use add_color }; -@@ -972,17 +1147,49 @@ +@@ -972,17 +1148,49 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -19738,7 +19869,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +miscfiles_read_localization(iscsid_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.26/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/system/libraries.fc 2009-07-30 16:27:55.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/system/libraries.fc 2009-08-03 07:56:50.000000000 -0400 @@ -60,12 +60,15 @@ # # /opt @@ -19925,7 +20056,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') dnl end distro_redhat # -@@ -304,10 +294,91 @@ +@@ -304,10 +294,92 @@ /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0) @@ -19958,6 +20089,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/nspluginwrapper/np.*\.so -- gen_context(system_u:object_r:lib_t,s0) + +/usr/lib/oracle/.*/lib/libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/oracle(64)?/.*/lib/libclntsh\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) + +/opt/(.*/)?oracle/(.*/)?libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libnnz11.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)