rpms/selinux-policy/devel policy-20071130.patch, 1.2, 1.3 selinux-policy.spec, 1.560, 1.561
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Tue Dec 4 00:15:31 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv26731
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Mon Dec 3 2007 Dan Walsh <dwalsh at redhat.com> 3.2.1-3
- Allow rpm_script to transition to unconfined_execmem_t
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- policy-20071130.patch 3 Dec 2007 00:15:23 -0000 1.2
+++ policy-20071130.patch 4 Dec 2007 00:15:27 -0000 1.3
@@ -1209,7 +1209,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.2.1/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/admin/rpm.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.1/policy/modules/admin/rpm.te 2007-12-03 13:19:43.000000000 -0500
@@ -139,6 +139,7 @@
auth_relabel_all_files_except_shadow(rpm_t)
auth_manage_all_files_except_shadow(rpm_t)
@@ -1248,6 +1248,15 @@
')
ifdef(`TODO',`
+@@ -221,7 +229,7 @@
+ #
+
+ allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
+-allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
++allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap };
+ allow rpm_script_t self:fd use;
+ allow rpm_script_t self:fifo_file rw_fifo_file_perms;
+ allow rpm_script_t self:unix_dgram_socket create_socket_perms;
@@ -289,6 +297,7 @@
auth_dontaudit_getattr_shadow(rpm_script_t)
# ideally we would not need this
@@ -1275,6 +1284,14 @@
tzdata_domtrans(rpm_t)
tzdata_domtrans(rpm_script_t)
')
+@@ -350,6 +356,7 @@
+ optional_policy(`
+ unconfined_domain(rpm_script_t)
+ unconfined_domtrans(rpm_script_t)
++ unconfined_execmem_domtrans(rpm_script_t)
+
+ optional_policy(`
+ java_domtrans(rpm_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.2.1/policy/modules/admin/sudo.if
--- nsaserefpolicy/policy/modules/admin/sudo.if 2007-07-23 10:20:14.000000000 -0400
+++ serefpolicy-3.2.1/policy/modules/admin/sudo.if 2007-11-30 11:23:56.000000000 -0500
@@ -3436,8 +3453,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.2.1/policy/modules/apps/vmware.te
--- nsaserefpolicy/policy/modules/apps/vmware.te 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/apps/vmware.te 2007-11-30 11:23:56.000000000 -0500
-@@ -22,6 +22,9 @@
++++ serefpolicy-3.2.1/policy/modules/apps/vmware.te 2007-12-02 21:31:37.000000000 -0500
+@@ -22,17 +22,21 @@
type vmware_var_run_t;
files_pid_file(vmware_var_run_t)
@@ -3447,25 +3464,40 @@
########################################
#
# VMWare host local policy
-@@ -29,7 +32,7 @@
+ #
- allow vmware_host_t self:capability { setuid net_raw };
+-allow vmware_host_t self:capability { setuid net_raw };
++allow vmware_host_t self:capability { setgid setuid net_raw };
dontaudit vmware_host_t self:capability sys_tty_config;
-allow vmware_host_t self:process signal_perms;
+allow vmware_host_t self:process { execstack execmem signal_perms };
allow vmware_host_t self:fifo_file rw_fifo_file_perms;
allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
allow vmware_host_t self:rawip_socket create_socket_perms;
-@@ -41,6 +44,9 @@
++allow vmware_host_t self:tcp_socket create_socket_perms;
+
+ # cjp: the ro and rw files should be split up
+ manage_files_pattern(vmware_host_t,vmware_sys_conf_t,vmware_sys_conf_t)
+@@ -41,6 +45,11 @@
manage_sock_files_pattern(vmware_host_t,vmware_var_run_t,vmware_var_run_t)
files_pid_filetrans(vmware_host_t,vmware_var_run_t,{ file sock_file })
+manage_files_pattern(vmware_host_t,vmware_log_t,vmware_log_t)
+logging_log_filetrans(vmware_host_t,vmware_log_t,{ file dir })
+
++files_search_home(vmware_host_t)
++
kernel_read_kernel_sysctls(vmware_host_t)
kernel_list_proc(vmware_host_t)
kernel_read_proc_symlinks(vmware_host_t)
+@@ -63,6 +72,7 @@
+ corenet_sendrecv_all_server_packets(vmware_host_t)
+
+ dev_read_sysfs(vmware_host_t)
++dev_read_urand(vmware_host_t)
+ dev_rw_vmware(vmware_host_t)
+
+ domain_use_interactive_fds(vmware_host_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.2.1/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if 2007-09-12 10:34:17.000000000 -0400
+++ serefpolicy-3.2.1/policy/modules/apps/wine.if 2007-11-30 11:23:56.000000000 -0500
@@ -5844,7 +5876,7 @@
+/usr/local/Printer/[^/]*/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.2.1/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2007-11-16 15:30:49.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/cups.te 2007-12-02 18:58:51.000000000 -0500
++++ serefpolicy-3.2.1/policy/modules/services/cups.te 2007-12-02 19:07:25.000000000 -0500
@@ -1,5 +1,5 @@
-policy_module(cups,1.8.2)
@@ -5925,17 +5957,7 @@
allow cupsd_t hplip_var_run_t:file { read getattr };
stream_connect_pattern(cupsd_t,ptal_var_run_t,ptal_var_run_t,ptal_t)
-@@ -133,8 +139,7 @@
- kernel_read_network_state(cupsd_t)
- kernel_read_all_sysctls(cupsd_t)
-
--corenet_all_recvfrom_unlabeled(cupsd_t)
--corenet_all_recvfrom_netlabel(cupsd_t)
-+corenet_non_ipsec_sendrecv(cupsd_t)
- corenet_tcp_sendrecv_all_if(cupsd_t)
- corenet_udp_sendrecv_all_if(cupsd_t)
- corenet_raw_sendrecv_all_if(cupsd_t)
-@@ -150,31 +155,39 @@
+@@ -150,31 +156,39 @@
corenet_tcp_bind_reserved_port(cupsd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
@@ -5978,7 +6000,7 @@
# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
corecmd_exec_shell(cupsd_t)
-@@ -187,7 +200,7 @@
+@@ -187,7 +201,7 @@
# read python modules
files_read_usr_files(cupsd_t)
# for /var/lib/defoma
@@ -5987,7 +6009,7 @@
files_list_world_readable(cupsd_t)
files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
-@@ -196,15 +209,14 @@
+@@ -196,15 +210,14 @@
files_read_var_symlinks(cupsd_t)
# for /etc/printcap
files_dontaudit_write_etc_files(cupsd_t)
@@ -6006,7 +6028,7 @@
libs_use_ld_so(cupsd_t)
libs_use_shared_libs(cupsd_t)
# Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
-@@ -221,14 +233,37 @@
+@@ -221,14 +234,37 @@
sysnet_read_config(cupsd_t)
@@ -6044,7 +6066,7 @@
')
optional_policy(`
-@@ -241,6 +276,7 @@
+@@ -241,6 +277,7 @@
optional_policy(`
dbus_system_bus_client_template(cupsd,cupsd_t)
@@ -6052,7 +6074,7 @@
userdom_dbus_send_all_users(cupsd_t)
-@@ -262,7 +298,7 @@
+@@ -262,7 +299,7 @@
')
optional_policy(`
@@ -6061,17 +6083,7 @@
')
optional_policy(`
-@@ -319,8 +355,7 @@
- kernel_read_system_state(cupsd_config_t)
- kernel_read_kernel_sysctls(cupsd_config_t)
-
--corenet_all_recvfrom_unlabeled(cupsd_config_t)
--corenet_all_recvfrom_netlabel(cupsd_config_t)
-+corenet_non_ipsec_sendrecv(cupsd_config_t)
- corenet_tcp_sendrecv_all_if(cupsd_config_t)
- corenet_tcp_sendrecv_all_nodes(cupsd_config_t)
- corenet_tcp_sendrecv_all_ports(cupsd_config_t)
-@@ -330,11 +365,13 @@
+@@ -330,11 +367,13 @@
dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
dev_read_rand(cupsd_config_t)
@@ -6085,7 +6097,7 @@
corecmd_exec_shell(cupsd_config_t)
domain_use_interactive_fds(cupsd_config_t)
-@@ -376,12 +413,17 @@
+@@ -376,12 +415,17 @@
')
optional_policy(`
@@ -6103,7 +6115,7 @@
optional_policy(`
hal_dbus_chat(cupsd_config_t)
-@@ -391,6 +433,7 @@
+@@ -391,6 +435,7 @@
optional_policy(`
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
@@ -6111,17 +6123,7 @@
')
optional_policy(`
-@@ -461,8 +504,7 @@
- kernel_read_system_state(cupsd_lpd_t)
- kernel_read_network_state(cupsd_lpd_t)
-
--corenet_all_recvfrom_unlabeled(cupsd_lpd_t)
--corenet_all_recvfrom_netlabel(cupsd_lpd_t)
-+corenet_non_ipsec_sendrecv(cupsd_lpd_t)
- corenet_tcp_sendrecv_all_if(cupsd_lpd_t)
- corenet_udp_sendrecv_all_if(cupsd_lpd_t)
- corenet_tcp_sendrecv_all_nodes(cupsd_lpd_t)
-@@ -480,6 +522,8 @@
+@@ -480,6 +525,8 @@
files_read_etc_files(cupsd_lpd_t)
@@ -6130,7 +6132,7 @@
libs_use_ld_so(cupsd_lpd_t)
libs_use_shared_libs(cupsd_lpd_t)
-@@ -487,22 +531,12 @@
+@@ -487,22 +534,12 @@
miscfiles_read_localization(cupsd_lpd_t)
@@ -6153,7 +6155,7 @@
########################################
#
# HPLIP local policy
-@@ -520,14 +554,12 @@
+@@ -520,14 +557,12 @@
allow hplip_t self:udp_socket create_socket_perms;
allow hplip_t self:rawip_socket create_socket_perms;
@@ -6172,17 +6174,7 @@
manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t)
files_pid_filetrans(hplip_t,hplip_var_run_t,file)
-@@ -535,8 +567,7 @@
- kernel_read_system_state(hplip_t)
- kernel_read_kernel_sysctls(hplip_t)
-
--corenet_all_recvfrom_unlabeled(hplip_t)
--corenet_all_recvfrom_netlabel(hplip_t)
-+corenet_non_ipsec_sendrecv(hplip_t)
- corenet_tcp_sendrecv_all_if(hplip_t)
- corenet_udp_sendrecv_all_if(hplip_t)
- corenet_raw_sendrecv_all_if(hplip_t)
-@@ -558,13 +589,15 @@
+@@ -558,13 +593,15 @@
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
@@ -6199,7 +6191,7 @@
domain_use_interactive_fds(hplip_t)
-@@ -586,6 +619,7 @@
+@@ -586,6 +623,7 @@
userdom_dontaudit_search_all_users_home_content(hplip_t)
lpd_read_config(cupsd_t)
@@ -6207,16 +6199,6 @@
optional_policy(`
seutil_sigchld_newrole(hplip_t)
-@@ -627,8 +661,7 @@
- kernel_list_proc(ptal_t)
- kernel_read_proc_symlinks(ptal_t)
-
--corenet_all_recvfrom_unlabeled(ptal_t)
--corenet_all_recvfrom_netlabel(ptal_t)
-+corenet_non_ipsec_sendrecv(ptal_t)
- corenet_tcp_sendrecv_all_if(ptal_t)
- corenet_tcp_sendrecv_all_nodes(ptal_t)
- corenet_tcp_sendrecv_all_ports(ptal_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.2.1/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2007-11-15 13:40:14.000000000 -0500
+++ serefpolicy-3.2.1/policy/modules/services/cvs.te 2007-11-30 11:23:56.000000000 -0500
@@ -7993,7 +7975,7 @@
+/var/log/wpa_supplicant\.log -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.2.1/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-10-29 07:52:49.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/networkmanager.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.1/policy/modules/services/networkmanager.te 2007-12-02 21:09:24.000000000 -0500
@@ -13,6 +13,9 @@
type NetworkManager_var_run_t;
files_pid_file(NetworkManager_var_run_t)
@@ -8009,7 +7991,7 @@
# networkmanager will ptrace itself if gdb is installed
# and it receives a unexpected signal (rh bug #204161)
-allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
-+allow NetworkManager_t self:capability { chown kill setgid setuid sys_nice dac_override net_admin net_raw ipc_lock };
++allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw ipc_lock };
dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms };
allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
@@ -11746,7 +11728,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.2.1/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-10-15 16:11:05.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/xserver.te 2007-12-01 06:51:49.000000000 -0500
++++ serefpolicy-3.2.1/policy/modules/services/xserver.te 2007-12-03 19:02:05.000000000 -0500
@@ -16,6 +16,13 @@
## <desc>
@@ -11824,13 +11806,14 @@
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -132,15 +166,21 @@
+@@ -132,15 +166,22 @@
manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+fs_rw_tmpfs_files(xdm_xserver_t)
+fs_getattr_all_fs(xdm_t)
+fs_search_inotifyfs(xdm_t)
++fs_list_all(xdm_t)
manage_dirs_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t)
manage_files_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t)
@@ -11847,7 +11830,15 @@
allow xdm_t xdm_xserver_t:process signal;
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
-@@ -185,6 +225,7 @@
+@@ -154,6 +195,7 @@
+ allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
+
+ allow xdm_t xdm_xserver_t:shm rw_shm_perms;
++read_files_pattern(xdm_t, xdm_xserver_t, xdm_xserver_t)
+
+ # connect to xdm xserver over stream socket
+ stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
+@@ -185,6 +227,7 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_all_nodes(xdm_t)
corenet_udp_bind_all_nodes(xdm_t)
@@ -11855,7 +11846,7 @@
corenet_tcp_connect_all_ports(xdm_t)
corenet_sendrecv_all_client_packets(xdm_t)
# xdm tries to bind to biff_port_t
-@@ -197,6 +238,7 @@
+@@ -197,6 +240,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@@ -11863,7 +11854,7 @@
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -209,8 +251,8 @@
+@@ -209,8 +253,8 @@
dev_setattr_video_dev(xdm_t)
dev_getattr_scanner_dev(xdm_t)
dev_setattr_scanner_dev(xdm_t)
@@ -11874,7 +11865,7 @@
dev_getattr_power_mgmt_dev(xdm_t)
dev_setattr_power_mgmt_dev(xdm_t)
-@@ -246,6 +288,7 @@
+@@ -246,6 +290,7 @@
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
@@ -11882,7 +11873,7 @@
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -257,12 +300,11 @@
+@@ -257,12 +302,11 @@
libs_exec_lib_files(xdm_t)
logging_read_generic_logs(xdm_t)
@@ -11896,7 +11887,7 @@
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_dontaudit_search_sysadm_home_dirs(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -271,6 +313,10 @@
+@@ -271,6 +315,10 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -11907,7 +11898,7 @@
xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
-@@ -306,6 +352,11 @@
+@@ -306,6 +354,11 @@
optional_policy(`
consolekit_dbus_chat(xdm_t)
@@ -11919,7 +11910,7 @@
')
optional_policy(`
-@@ -323,6 +374,10 @@
+@@ -323,6 +376,10 @@
')
optional_policy(`
@@ -11930,7 +11921,7 @@
loadkeys_exec(xdm_t)
')
-@@ -336,10 +391,6 @@
+@@ -336,10 +393,6 @@
')
optional_policy(`
@@ -11941,7 +11932,7 @@
seutil_sigchld_newrole(xdm_t)
')
-@@ -348,8 +399,8 @@
+@@ -348,8 +401,8 @@
')
optional_policy(`
@@ -11951,7 +11942,7 @@
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -385,7 +436,7 @@
+@@ -385,7 +438,7 @@
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
@@ -11960,7 +11951,7 @@
# Label pid and temporary files with derived types.
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-@@ -397,6 +448,15 @@
+@@ -397,6 +450,15 @@
can_exec(xdm_xserver_t, xkb_var_lib_t)
files_search_var_lib(xdm_xserver_t)
@@ -11976,7 +11967,7 @@
# VNC v4 module in X server
corenet_tcp_bind_vnc_port(xdm_xserver_t)
-@@ -409,6 +469,7 @@
+@@ -409,6 +471,7 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
@@ -11984,7 +11975,7 @@
xserver_use_all_users_fonts(xdm_xserver_t)
-@@ -425,6 +486,14 @@
+@@ -425,6 +488,14 @@
')
optional_policy(`
@@ -11999,7 +11990,7 @@
resmgr_stream_connect(xdm_t)
')
-@@ -434,47 +503,30 @@
+@@ -434,47 +505,30 @@
')
optional_policy(`
@@ -12261,7 +12252,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.2.1/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/system/authlogin.te 2007-11-30 11:33:09.000000000 -0500
++++ serefpolicy-3.2.1/policy/modules/system/authlogin.te 2007-12-03 18:47:11.000000000 -0500
@@ -59,6 +59,9 @@
type utempter_exec_t;
application_domain(utempter_t,utempter_exec_t)
@@ -12282,15 +12273,30 @@
########################################
#
# PAM local policy
-@@ -121,6 +127,7 @@
+@@ -121,19 +127,14 @@
logging_send_syslog_msg(pam_t)
userdom_use_unpriv_users_fds(pam_t)
+userdom_write_unpriv_users_tmp_files(pam_t)
++userdom_dontaudit_read_unpriv_users_home_content_files(pam_t)
++userdom_unlink_unpriv_users_tmp_files(pam_t)
optional_policy(`
locallogin_use_fds(pam_t)
-@@ -287,8 +294,10 @@
+ ')
+
+-optional_policy(`
+- nis_use_ypbind(pam_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(pam_t)
+-')
+-
+ ########################################
+ #
+ # PAM console local policy
+@@ -287,8 +288,10 @@
files_manage_etc_files(updpwd_t)
term_dontaudit_use_console(updpwd_t)
@@ -12302,7 +12308,7 @@
auth_manage_shadow(updpwd_t)
auth_use_nsswitch(updpwd_t)
-@@ -337,11 +346,6 @@
+@@ -337,11 +340,6 @@
')
optional_policy(`
@@ -14493,16 +14499,17 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.2.1/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2007-10-12 08:56:08.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/system/unconfined.fc 2007-11-30 11:23:56.000000000 -0500
-@@ -10,3 +10,5 @@
++++ serefpolicy-3.2.1/policy/modules/system/unconfined.fc 2007-12-03 13:36:12.000000000 -0500
+@@ -10,3 +10,6 @@
/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/rhythmbox -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
++/usr/bin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.2.1/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2007-11-16 15:30:49.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/system/unconfined.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.1/policy/modules/system/unconfined.if 2007-12-03 13:19:33.000000000 -0500
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -14537,19 +14544,20 @@
kernel_unconfined($1)
corenet_unconfined($1)
-@@ -589,7 +589,101 @@
+@@ -589,7 +589,7 @@
########################################
## <summary>
-## Read files in unconfined users home directories.
+## Allow ptrace of unconfined domain
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -597,20 +597,53 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`unconfined_read_home_content_files',`
+interface(`unconfined_ptrace',`
+ gen_require(`
+ type unconfined_t;
@@ -14569,15 +14577,21 @@
+## </param>
+#
+interface(`unconfined_rw_shm',`
-+ gen_require(`
+ gen_require(`
+- type unconfined_home_dir_t, unconfined_home_t;
+ type unconfined_t;
-+ ')
-+
+ ')
+
+- files_search_home($1)
+- allow $1 { unconfined_home_dir_t unconfined_home_t }:dir list_dir_perms;
+- read_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
+- read_lnk_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
+ allow $1 unconfined_t:shm rw_shm_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Read unconfined users temporary files.
+## Read and write to unconfined execmem shared memory.
+## </summary>
+## <param name="domain">
@@ -14596,10 +14610,36 @@
+
+########################################
+## <summary>
++## Transition to the unconfined_execmem domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -618,31 +651,132 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`unconfined_read_tmp_files',`
++interface(`unconfined_execmem_domtrans',`
++
+ gen_require(`
+- type unconfined_tmp_t;
++ type unconfined_execmem_t, unconfined_execmem_exec_t;
+ ')
+
+- files_search_tmp($1)
+- allow $1 unconfined_tmp_t:dir list_dir_perms;
+- read_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
+- read_lnk_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
++ domtrans_pattern($1,unconfined_execmem_exec_t,unconfined_execmem_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Write unconfined users temporary files.
+## allow attempts to use unconfined ttys and ptys.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
@@ -14637,65 +14677,51 @@
+########################################
+## <summary>
+## Allow apps to set rlimits on userdomain
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -597,20 +691,18 @@
- ## </summary>
- ## </param>
- #
--interface(`unconfined_read_home_content_files',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`unconfined_set_rlimitnh',`
- gen_require(`
-- type unconfined_home_dir_t, unconfined_home_t;
++ gen_require(`
+ type unconfined_t;
- ')
-
-- files_search_home($1)
-- allow $1 { unconfined_home_dir_t unconfined_home_t }:dir list_dir_perms;
-- read_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
-- read_lnk_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
++ ')
++
+ allow $1 unconfined_t:process rlimitinh;
- ')
-
- ########################################
- ## <summary>
--## Read unconfined users temporary files.
++')
++
++########################################
++## <summary>
+## Allow the specified domain to read/write to
+## unconfined with a unix domain stream sockets.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -618,31 +710,54 @@
- ## </summary>
- ## </param>
- #
--interface(`unconfined_read_tmp_files',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`unconfined_rw_stream_sockets',`
- gen_require(`
-- type unconfined_tmp_t;
++ gen_require(`
+ type unconfined_t;
- ')
-
-- files_search_tmp($1)
-- allow $1 unconfined_tmp_t:dir list_dir_perms;
-- read_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
-- read_lnk_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
++ ')
++
+ allow $1 unconfined_t:unix_stream_socket { read write };
- ')
-
- ########################################
- ## <summary>
--## Write unconfined users temporary files.
++')
++
++########################################
++## <summary>
+## Read/write unconfined tmpfs files.
- ## </summary>
++## </summary>
+## <desc>
+## <p>
+## Read/write unconfined tmpfs files.
+## </p>
+## </desc>
- ## <param name="domain">
- ## <summary>
++## <param name="domain">
++## <summary>
## Domain allowed access.
## </summary>
## </param>
@@ -14733,8 +14759,8 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.1/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-11-16 15:30:49.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/system/unconfined.te 2007-11-30 11:23:56.000000000 -0500
-@@ -9,13 +9,15 @@
++++ serefpolicy-3.2.1/policy/modules/system/unconfined.te 2007-12-03 13:35:11.000000000 -0500
+@@ -9,32 +9,46 @@
# usage in this module of types created by these
# calls is not correct, however we dont currently
# have another method to add access to these types
@@ -14754,7 +14780,16 @@
type unconfined_execmem_t;
type unconfined_execmem_exec_t;
-@@ -27,14 +29,21 @@
+ init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
+ role unconfined_r types unconfined_execmem_t;
+
++type unconfined_notrans_t;
++type unconfined_notrans_exec_t;
++init_system_domain(unconfined_notrans_t, unconfined_notrans_exec_t)
++role unconfined_r types unconfined_notrans_t;
++
+ ########################################
+ #
# Local policy
#
@@ -14776,7 +14811,7 @@
libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-@@ -42,7 +51,10 @@
+@@ -42,7 +56,10 @@
logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
@@ -14787,7 +14822,7 @@
seutil_run_setfiles(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
seutil_run_semanage(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-@@ -51,13 +63,13 @@
+@@ -51,13 +68,13 @@
userdom_priveleged_home_dir_manager(unconfined_t)
optional_policy(`
@@ -14803,7 +14838,7 @@
unconfined_domain(httpd_unconfined_script_t)
')
-@@ -71,8 +83,8 @@
+@@ -71,8 +88,8 @@
optional_policy(`
cron_per_role_template(unconfined, unconfined_t, unconfined_r)
@@ -14814,7 +14849,7 @@
')
optional_policy(`
-@@ -107,6 +119,10 @@
+@@ -107,6 +124,10 @@
optional_policy(`
oddjob_dbus_chat(unconfined_t)
')
@@ -14825,7 +14860,7 @@
')
optional_policy(`
-@@ -118,11 +134,11 @@
+@@ -118,11 +139,11 @@
')
optional_policy(`
@@ -14839,7 +14874,7 @@
')
optional_policy(`
-@@ -134,11 +150,7 @@
+@@ -134,11 +155,7 @@
')
optional_policy(`
@@ -14852,7 +14887,7 @@
')
optional_policy(`
-@@ -154,33 +166,20 @@
+@@ -154,33 +171,20 @@
')
optional_policy(`
@@ -14890,15 +14925,16 @@
')
optional_policy(`
-@@ -205,11 +204,22 @@
+@@ -205,11 +209,22 @@
')
optional_policy(`
- wine_domtrans(unconfined_t)
+ wine_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- xserver_domtrans_xdm_xserver(unconfined_t)
+ mozilla_per_role_template(unconfined, unconfined_t, unconfined_r)
+ unconfined_domain(unconfined_mozilla_t)
+ allow unconfined_mozilla_t self:process { execstack execmem };
@@ -14906,16 +14942,15 @@
+
+optional_policy(`
+ kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
- ')
-
- optional_policy(`
-- xserver_domtrans_xdm_xserver(unconfined_t)
++')
++
++optional_policy(`
+ xserver_run_xdm_xserver(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ xserver_xdm_rw_shm(unconfined_t)
')
########################################
-@@ -219,14 +229,26 @@
+@@ -219,14 +234,35 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
@@ -14942,6 +14977,15 @@
+
+ ')
')
++
++########################################
++#
++# Unconfined Execmem Local policy
++#
++
++allow unconfined_notrans_t self:process { execstack execmem };
++unconfined_domain_noaudit(unconfined_notrans_t)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.2.1/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2007-02-19 11:32:53.000000000 -0500
+++ serefpolicy-3.2.1/policy/modules/system/userdomain.fc 2007-11-30 11:23:56.000000000 -0500
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.560
retrieving revision 1.561
diff -u -r1.560 -r1.561
--- selinux-policy.spec 3 Dec 2007 00:15:23 -0000 1.560
+++ selinux-policy.spec 4 Dec 2007 00:15:27 -0000 1.561
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.2.1
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -379,7 +379,9 @@
%endif
%changelog
-* Sun Dec 2 2007 Dan Walsh <dwalsh at redhat.com> 3.2.1-2
+* Mon Dec 3 2007 Dan Walsh <dwalsh at redhat.com> 3.2.1-3
+- Allow rpm_script to transition to unconfined_execmem_t
+
* Fri Nov 30 2007 Dan Walsh <dwalsh at redhat.com> 3.2.1-1
- Remove user based home directory separation
More information about the fedora-extras-commits
mailing list