diff --git a/booleans-targeted.conf b/booleans-targeted.conf index be7ea90..d58c39e 100644 --- a/booleans-targeted.conf +++ b/booleans-targeted.conf @@ -1,14 +1,14 @@ # Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack. # -allow_execmem = false +allow_execmem = true # Allow making a modified private filemapping executable (text relocation). # -allow_execmod = false +allow_execmod = true # Allow making the stack executable via mprotect.Also requires allow_execmem. # -allow_execstack = false +allow_execstack = true # Allow ftpd to read cifs directories. # @@ -266,3 +266,11 @@ user_rw_noexattrfile=true # Allow qemu to connect fully to the network # allow_qemu_full_network=true + +# Allow nsplugin execmem/execstack for bad plugins +# +allow_nsplugin_execmem=true + +# Allow unconfined domain to transition to confined domain +# +allow_unconfined_nsplugin_transition=true diff --git a/policy-20071130.patch b/policy-20071130.patch index 6eb24bc..952bd75 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -4127,7 +4127,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.3.1/policy/modules/apps/java.te --- nsaserefpolicy/policy/modules/apps/java.te 2007-12-19 05:32:09.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/apps/java.te 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/apps/java.te 2008-02-27 23:56:52.000000000 -0500 @@ -6,16 +6,10 @@ # Declarations # @@ -4146,7 +4146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te ######################################## # -@@ -23,11 +17,23 @@ +@@ -23,11 +17,28 @@ # # execheap is needed for itanium/BEA jrocket @@ -4164,15 +4164,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te + unconfined_dbus_chat(java_t) + ') +') ++ ++optional_policy(` ++ rpm_domtrans(java_t) ++') optional_policy(` unconfined_domain_noaudit(java_t) - unconfined_dbus_chat(java_t) -+') + ') + +optional_policy(` -+ xserver_xdm_rw_shm(java_t) - ') ++ xserver_xdm_rw_shm(java_t) ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.3.1/policy/modules/apps/loadkeys.te --- nsaserefpolicy/policy/modules/apps/loadkeys.te 2007-12-19 05:32:09.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/apps/loadkeys.te 2008-02-26 08:29:22.000000000 -0500 @@ -26657,8 +26662,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.f +/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.if serefpolicy-3.3.1/policy/modules/system/qemu.if --- nsaserefpolicy/policy/modules/system/qemu.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/qemu.if 2008-02-26 08:29:22.000000000 -0500 -@@ -0,0 +1,290 @@ ++++ serefpolicy-3.3.1/policy/modules/system/qemu.if 2008-02-27 23:40:38.000000000 -0500 +@@ -0,0 +1,291 @@ + +## policy for qemu + @@ -26896,6 +26901,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i + + domain_use_interactive_fds($1_t) + ++ allow $1_t self:capability { dac_read_search dac_override }; + allow $1_t self:process { execstack execmem signal getsched }; + allow $1_t self:tcp_socket create_stream_socket_perms; + diff --git a/selinux-policy.spec b/selinux-policy.spec index 599e9eb..437829b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.3.1 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz