-@@ -638,10 +1166,77 @@
+@@ -638,10 +1167,77 @@
#
template(`xserver_domtrans_user_xauth',`
gen_require(`
@@ -26185,7 +26231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -671,10 +1266,10 @@
+@@ -671,10 +1267,10 @@
#
template(`xserver_user_home_dir_filetrans_user_xauth',`
gen_require(`
@@ -26198,7 +26244,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -760,7 +1355,7 @@
+@@ -760,7 +1356,7 @@
type xconsole_device_t;
')
@@ -26207,7 +26253,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -860,6 +1455,25 @@
+@@ -860,6 +1456,25 @@
########################################
##
@@ -26233,7 +26279,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Read xdm-writable configuration files.
##
##
-@@ -914,6 +1528,7 @@
+@@ -914,6 +1529,7 @@
files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@@ -26241,7 +26287,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -932,7 +1547,7 @@
+@@ -932,7 +1548,7 @@
')
files_search_pids($1)
@@ -26250,7 +26296,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -955,6 +1570,24 @@
+@@ -955,6 +1571,24 @@
########################################
##
@@ -26275,7 +26321,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Execute the X server in the XDM X server domain.
##
##
-@@ -965,15 +1598,47 @@
+@@ -965,15 +1599,47 @@
#
interface(`xserver_domtrans_xdm_xserver',`
gen_require(`
@@ -26324,7 +26370,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Make an X session script an entrypoint for the specified domain.
##
##
-@@ -1123,7 +1788,7 @@
+@@ -1123,7 +1789,7 @@
type xdm_xserver_tmp_t;
')
@@ -26333,7 +26379,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -1312,3 +1977,83 @@
+@@ -1312,3 +1978,83 @@
files_search_tmp($1)
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
')
@@ -31003,7 +31049,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.3.1/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2007-11-16 15:30:49.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/unconfined.if 2008-04-21 11:02:50.553564000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/unconfined.if 2008-04-25 13:52:57.017888000 -0400
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -31038,15 +31084,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
kernel_unconfined($1)
corenet_unconfined($1)
-@@ -40,6 +40,7 @@
+@@ -40,10 +40,16 @@
domain_unconfined($1)
domain_dontaudit_read_all_domains_state($1)
domain_dontaudit_ptrace_all_domains($1)
-+ domain_mmap_low($1)
++
files_unconfined($1)
fs_unconfined($1)
selinux_unconfined($1)
-@@ -70,6 +71,7 @@
+
++ domain_mmap_low_type($1)
++ tunable_policy(`allow_unconfined_mmap_low',`
++ domain_mmap_low($1)
++ ')
++
+ tunable_policy(`allow_execheap',`
+ # Allow making the stack executable via mprotect.
+ allow $1 self:process execheap;
+@@ -70,6 +76,7 @@
optional_policy(`
# Communicate via dbusd.
dbus_system_bus_unconfined($1)
@@ -31054,7 +31109,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
optional_policy(`
-@@ -95,6 +97,10 @@
+@@ -95,6 +102,10 @@
optional_policy(`
storage_unconfined($1)
')
@@ -31065,7 +31120,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
########################################
-@@ -372,6 +378,24 @@
+@@ -372,6 +383,24 @@
########################################
##
@@ -31090,7 +31145,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
## Send generic signals to the unconfined domain.
##
##
-@@ -581,7 +605,6 @@
+@@ -581,7 +610,6 @@
interface(`unconfined_dbus_connect',`
gen_require(`
type unconfined_t;
@@ -31098,19 +31153,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
allow $1 unconfined_t:dbus acquire_svc;
-@@ -589,49 +612,209 @@
+@@ -589,7 +617,7 @@
########################################
##
-## Read files in unconfined users home directories.
+## Allow ptrace of unconfined domain
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -597,20 +625,53 @@
+ ##
+ ##
+ #
+-interface(`unconfined_read_home_content_files',`
+interface(`unconfined_ptrace',`
+ gen_require(`
+ type unconfined_t;
@@ -31148,34 +31204,47 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+##
+#
+interface(`unconfined_execmem_rw_shm',`
-+ gen_require(`
+ gen_require(`
+- type unconfined_home_dir_t, unconfined_home_t;
+ type unconfined_execmem_t;
-+ ')
-+
+ ')
+
+- files_search_home($1)
+- allow $1 { unconfined_home_dir_t unconfined_home_t }:dir list_dir_perms;
+- read_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
+- read_lnk_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
+ allow $1 unconfined_execmem_t:shm rw_shm_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Read unconfined users temporary files.
+## Transition to the unconfined_execmem domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -618,20 +679,58 @@
+ ##
+ ##
+ #
+-interface(`unconfined_read_tmp_files',`
+interface(`unconfined_execmem_domtrans',`
+
-+ gen_require(`
+ gen_require(`
+- type unconfined_tmp_t;
+ type unconfined_execmem_t, unconfined_execmem_exec_t;
-+ ')
-+
+ ')
+
+- files_search_tmp($1)
+- allow $1 unconfined_tmp_t:dir list_dir_perms;
+- read_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
+- read_lnk_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
+ domtrans_pattern($1,unconfined_execmem_exec_t,unconfined_execmem_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Write unconfined users temporary files.
+## allow attempts to use unconfined ttys and ptys.
+##
+##
@@ -31217,15 +31286,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+########################################
+##
+## Allow apps to set rlimits on userdomain
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -639,10 +738,99 @@
+ ##
+ ##
+ #
+-interface(`unconfined_write_tmp_files',`
+interface(`unconfined_set_rlimitnh',`
-+ gen_require(`
+ gen_require(`
+- type unconfined_tmp_t;
+ type unconfined_t;
+ ')
+
@@ -31254,83 +31325,67 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+########################################
+##
+## Read/write unconfined tmpfs files.
- ##
++##
+##
+##
+## Read/write unconfined tmpfs files.
+##
+##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
- #
--interface(`unconfined_read_home_content_files',`
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`unconfined_rw_tmpfs_files',`
- gen_require(`
-- type unconfined_home_dir_t, unconfined_home_t;
++ gen_require(`
+ type unconfined_tmpfs_t;
- ')
-
-- files_search_home($1)
-- allow $1 { unconfined_home_dir_t unconfined_home_t }:dir list_dir_perms;
-- read_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
-- read_lnk_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
++ ')
++
+ fs_search_tmpfs($1)
+ allow $1 unconfined_tmpfs_t:dir list_dir_perms;
+ rw_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t)
+ read_lnk_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t)
- ')
-
- ########################################
- ##
--## Read unconfined users temporary files.
++')
++
++########################################
++##
+## Delete unconfined tmpfs files.
- ##
++##
+##
+##
+## Read/write unconfined tmpfs files.
+##
+##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
- #
--interface(`unconfined_read_tmp_files',`
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`unconfined_delete_tmpfs_files',`
- gen_require(`
-- type unconfined_tmp_t;
++ gen_require(`
+ type unconfined_tmpfs_t;
- ')
-
-- files_search_tmp($1)
-- allow $1 unconfined_tmp_t:dir list_dir_perms;
-- read_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
-- read_lnk_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
++ ')
++
+ fs_search_tmpfs($1)
+ allow $1 unconfined_tmpfs_t:dir list_dir_perms;
+ delete_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t)
+ read_lnk_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t)
- ')
-
- ########################################
- ##
--## Write unconfined users temporary files.
++')
++
++########################################
++##
+## Get the process group of unconfined.
- ##
- ##
- ##
-@@ -639,10 +822,10 @@
- ##
- ##
- #
--interface(`unconfined_write_tmp_files',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`unconfined_getpgid',`
- gen_require(`
-- type unconfined_tmp_t;
++ gen_require(`
+ type unconfined_t;
')
@@ -31339,8 +31394,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.3.1/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-02-13 16:26:06.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-04-24 16:57:46.339086000 -0400
-@@ -6,35 +6,67 @@
++++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-04-25 14:52:17.887753000 -0400
+@@ -6,35 +6,74 @@
# Declarations
#
@@ -31353,6 +31408,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+
+##
+##
++## Allow unconfined domain to map low memory in the kernel
++##
++##
++gen_tunable(allow_unconfined_mmap_low,false)
++
++##
++##
+## Transition to confined qemu domains from unconfined user
+##
+##
@@ -31412,7 +31474,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-@@ -42,37 +74,44 @@
+@@ -42,37 +81,44 @@
logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
@@ -31467,7 +31529,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
optional_policy(`
-@@ -101,12 +140,24 @@
+@@ -101,12 +147,24 @@
')
optional_policy(`
@@ -31492,7 +31554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
optional_policy(`
-@@ -118,11 +169,7 @@
+@@ -118,11 +176,7 @@
')
optional_policy(`
@@ -31505,7 +31567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
optional_policy(`
-@@ -134,82 +181,97 @@
+@@ -134,82 +188,97 @@
')
optional_policy(`
@@ -31628,7 +31690,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
########################################
-@@ -219,14 +281,35 @@
+@@ -219,14 +288,35 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
@@ -31684,7 +31746,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-15 09:52:56.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-04-24 15:08:40.156331000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-04-25 08:59:40.282820000 -0400
@@ -29,9 +29,14 @@
')
@@ -35308,8 +35370,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.i
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.3.1/policy/modules/system/virt.te
--- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/virt.te 2008-04-23 10:09:03.411358000 -0400
-@@ -0,0 +1,174 @@
++++ serefpolicy-3.3.1/policy/modules/system/virt.te 2008-04-25 08:55:03.831022000 -0400
+@@ -0,0 +1,176 @@
+
+policy_module(virt,1.0.0)
+
@@ -35383,6 +35445,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
+manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
+logging_log_filetrans(virtd_t, virt_log_t, { file dir } )
+
++read_files_pattern(virtd_t, virt_image_t, virt_image_t)
++
+read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
+read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
+
@@ -36159,3 +36223,47 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.3
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
-')
+gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.3.1/Rules.modular
+--- nsaserefpolicy/Rules.modular 2007-12-19 05:32:18.000000000 -0500
++++ serefpolicy-3.3.1/Rules.modular 2008-04-21 11:02:47.848797000 -0400
+@@ -73,8 +73,8 @@
+ $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
+ @echo "Compliling $(NAME) $(@F) module"
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+- $(call perrole-expansion,$(basename $(@F)),$@.role)
+- $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
++# $(call perrole-expansion,$(basename $(@F)),$@.role)
++ $(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
+ $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
+
+ $(tmpdir)/%.mod.fc: $(m4support) %.fc
+@@ -129,7 +129,7 @@
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ # define all available object classes
+ $(verbose) $(genperm) $(avs) $(secclass) > $@
+- $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
++# $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
+ $(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
+
+ $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy
+@@ -147,7 +147,7 @@
+ $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy
+ $(tmpdir)/rolemap.conf: $(rolemap)
+ $(verbose) echo "" > $@
+- $(call parse-rolemap,base,$@)
++# $(call parse-rolemap,base,$@)
+
+ $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
+ $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy-3.3.1/Rules.monolithic
+--- nsaserefpolicy/Rules.monolithic 2007-11-20 06:55:20.000000000 -0500
++++ serefpolicy-3.3.1/Rules.monolithic 2008-04-21 11:02:47.854791000 -0400
+@@ -96,7 +96,7 @@
+ #
+ # Load the binary policy
+ #
+-reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles)
++reload $(tmpdir)/load: $(loadpath) $(fcpath) $(ncpath) $(appfiles)
+ @echo "Loading $(NAME) $(loadpath)"
+ $(verbose) $(LOADPOLICY) -q $(loadpath)
+ @touch $(tmpdir)/load
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ed2863c..9e5a016 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 41%{?dist}
+Release: 42%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -385,6 +385,11 @@ exit 0
%endif
%changelog
+* Fri Apr 25 2008 Dan Walsh 3.3.1-42
+- Add boolean to mmap_zero
+- allow tor setgid
+- Allow gnomeclock to set clock
+
* Thu Apr 24 2008 Dan Walsh 3.3.1-41
- Don't run crontab from unconfined_t