rpms/selinux-policy/devel policy-20071023.patch,1.6,1.7
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Mon Nov 12 22:47:20 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv10988
Modified Files:
policy-20071023.patch
Log Message:
* Sat Nov 10 2007 Dan Walsh <dwalsh at redhat.com> 3.1.1-1
- Update to upstream
policy-20071023.patch:
Index: policy-20071023.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071023.patch,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- policy-20071023.patch 10 Nov 2007 13:20:34 -0000 1.6
+++ policy-20071023.patch 12 Nov 2007 22:47:17 -0000 1.7
@@ -1087,7 +1087,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.1.0/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/admin/prelink.te 2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/admin/prelink.te 2007-11-12 10:43:25.000000000 -0500
@@ -26,7 +26,7 @@
# Local policy
#
@@ -1137,6 +1137,14 @@
optional_policy(`
amanda_manage_lib(prelink_t)
')
+@@ -88,3 +94,7 @@
+ optional_policy(`
+ cron_system_entry(prelink_t, prelink_exec_t)
+ ')
++
++optional_policy(`
++ unconfined_domain(prelink_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.1.0/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2006-11-16 17:15:26.000000000 -0500
+++ serefpolicy-3.1.0/policy/modules/admin/rpm.fc 2007-11-06 09:28:35.000000000 -0500
@@ -2967,7 +2975,7 @@
/dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.1.0/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/kernel/devices.if 2007-11-08 14:28:51.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/kernel/devices.if 2007-11-12 16:37:44.000000000 -0500
@@ -65,7 +65,7 @@
relabelfrom_dirs_pattern($1,device_t,device_node)
@@ -2977,7 +2985,33 @@
relabelfrom_fifo_files_pattern($1,device_t,device_node)
relabelfrom_sock_files_pattern($1,device_t,device_node)
relabel_blk_files_pattern($1,device_t,{ device_t device_node })
-@@ -2787,6 +2787,97 @@
+@@ -167,6 +167,25 @@
+
+ ########################################
+ ## <summary>
++## Manage of directories in /dev.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to relabel.
++## </summary>
++## </param>
++#
++interface(`dev_manage_generic_dirs',`
++ gen_require(`
++ type device_t;
++ ')
++
++ manage_dirs_pattern($1,device_t,device_t)
++')
++
++
++########################################
++## <summary>
+ ## Delete a directory in the device directory.
+ ## </summary>
+ ## <param name="domain">
+@@ -2787,6 +2806,97 @@
########################################
## <summary>
@@ -3075,7 +3109,7 @@
## Mount a usbfs filesystem.
## </summary>
## <param name="domain">
-@@ -3322,3 +3413,4 @@
+@@ -3322,3 +3432,4 @@
typeattribute $1 devices_unconfined_type;
')
@@ -3400,7 +3434,7 @@
+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.1.0/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2007-10-23 17:17:42.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/apache.if 2007-11-08 09:03:24.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/apache.if 2007-11-12 10:17:15.000000000 -0500
@@ -18,10 +18,6 @@
attribute httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
@@ -3692,7 +3726,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.1.0/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-10-23 07:37:52.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/apache.te 2007-11-07 15:26:15.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/apache.te 2007-11-12 17:45:22.000000000 -0500
@@ -20,20 +20,22 @@
# Declarations
#
@@ -4073,15 +4107,15 @@
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+tunable_policy(`httpd_use_nfs', `
-+ fs_read_nfs_files(httpd_sys_script_t)
-+ fs_read_nfs_symlinks(httpd_sys_script_t)
-+')
-+
-+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
fs_read_nfs_files(httpd_sys_script_t)
fs_read_nfs_symlinks(httpd_sys_script_t)
')
++tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
++ fs_read_nfs_files(httpd_sys_script_t)
++ fs_read_nfs_symlinks(httpd_sys_script_t)
++')
++
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
@@ -4133,19 +4167,45 @@
')
########################################
-@@ -730,3 +862,20 @@
+@@ -730,3 +862,46 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
+
+#============= bugzilla policy ==============
+apache_content_template(bugzilla)
++
++type httpd_bugzilla_tmp_t;
++files_tmp_file(httpd_bugzilla_tmp_t)
++
+allow httpd_bugzilla_script_t self:netlink_route_socket r_netlink_socket_perms;
++allow httpd_bugzilla_script_t self:tcp_socket create_stream_socket_perms;
++allow httpd_bugzilla_script_t self:udp_socket create_socket_perms;
++
++corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t)
++corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
++corenet_tcp_sendrecv_all_if(httpd_bugzilla_script_t)
++corenet_udp_sendrecv_all_if(httpd_bugzilla_script_t)
++corenet_tcp_sendrecv_all_nodes(httpd_bugzilla_script_t)
++corenet_udp_sendrecv_all_nodes(httpd_bugzilla_script_t)
++corenet_tcp_sendrecv_all_ports(httpd_bugzilla_script_t)
++corenet_udp_sendrecv_all_ports(httpd_bugzilla_script_t)
++corenet_tcp_connect_postgresql_port(httpd_bugzilla_script_t)
++corenet_tcp_connect_mysqld_port(httpd_bugzilla_script_t)
++corenet_tcp_connect_http_port(httpd_bugzilla_script_t)
++corenet_sendrecv_postgresql_client_packets(httpd_bugzilla_script_t)
++corenet_sendrecv_mysqld_client_packets(httpd_bugzilla_script_t)
++
++manage_dirs_pattern(httpd_bugzilla_script_t,httpd_bugzilla_tmp_t,httpd_bugzilla_tmp_t)
++manage_files_pattern(httpd_bugzilla_script_t,httpd_bugzilla_tmp_t,httpd_bugzilla_tmp_t)
++files_tmp_filetrans(httpd_bugzilla_script_t,httpd_bugzilla_tmp_t,{ file dir })
+
+files_search_var_lib(httpd_bugzilla_script_t)
+
+mta_send_mail(httpd_bugzilla_script_t)
+
++sysnet_read_config(httpd_bugzilla_script_t)
++
+optional_policy(`
+ mysql_search_db(httpd_bugzilla_script_t)
+ mysql_stream_connect(httpd_bugzilla_script_t)
@@ -4964,7 +5024,7 @@
+/usr/local/Brother/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.1.0/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2007-10-29 07:52:49.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/cups.te 2007-11-08 13:32:52.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/cups.te 2007-11-12 17:22:30.000000000 -0500
@@ -48,9 +48,7 @@
type hplip_t;
type hplip_exec_t;
@@ -5075,7 +5135,7 @@
init_exec_script_files(cupsd_t)
-@@ -221,17 +222,37 @@
+@@ -221,17 +222,38 @@
sysnet_read_config(cupsd_t)
@@ -5099,6 +5159,7 @@
+ init_stream_connect_script(cupsd_t)
+
+ unconfined_rw_pipes(cupsd_t)
++ unconfined_rw_stream_sockets(cupsd_t)
+
+ optional_policy(`
+ init_dbus_chat_script(cupsd_t)
@@ -5113,7 +5174,7 @@
apm_domtrans_client(cupsd_t)
')
-@@ -262,16 +283,16 @@
+@@ -262,16 +284,16 @@
')
optional_policy(`
@@ -5134,7 +5195,7 @@
seutil_sigchld_newrole(cupsd_t)
')
-@@ -291,7 +312,9 @@
+@@ -291,7 +313,9 @@
allow cupsd_config_t self:unix_stream_socket create_socket_perms;
allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
allow cupsd_config_t self:tcp_socket create_stream_socket_perms;
@@ -5145,7 +5206,7 @@
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t,cupsd_t)
-@@ -330,6 +353,7 @@
+@@ -330,6 +354,7 @@
dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
dev_read_rand(cupsd_config_t)
@@ -5153,7 +5214,7 @@
fs_getattr_all_fs(cupsd_config_t)
fs_search_auto_mountpoints(cupsd_config_t)
-@@ -354,6 +378,8 @@
+@@ -354,6 +379,8 @@
logging_send_syslog_msg(cupsd_config_t)
@@ -5162,7 +5223,7 @@
miscfiles_read_localization(cupsd_config_t)
seutil_dontaudit_search_config(cupsd_config_t)
-@@ -376,6 +402,14 @@
+@@ -376,6 +403,14 @@
')
optional_policy(`
@@ -5177,7 +5238,7 @@
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
-@@ -391,6 +425,7 @@
+@@ -391,6 +426,7 @@
optional_policy(`
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
@@ -5185,7 +5246,7 @@
')
optional_policy(`
-@@ -402,14 +437,6 @@
+@@ -402,14 +438,6 @@
')
optional_policy(`
@@ -5200,7 +5261,7 @@
rpm_read_db(cupsd_config_t)
')
-@@ -430,7 +457,6 @@
+@@ -430,7 +458,6 @@
allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms;
allow cupsd_lpd_t self:tcp_socket connected_stream_socket_perms;
allow cupsd_lpd_t self:udp_socket create_socket_perms;
@@ -5208,7 +5269,7 @@
# for identd
# cjp: this should probably only be inetd_child rules?
-@@ -480,6 +506,8 @@
+@@ -480,6 +507,8 @@
files_read_etc_files(cupsd_lpd_t)
@@ -5217,7 +5278,7 @@
libs_use_ld_so(cupsd_lpd_t)
libs_use_shared_libs(cupsd_lpd_t)
-@@ -495,14 +523,6 @@
+@@ -495,14 +524,6 @@
inetd_service_domain(cupsd_lpd_t,cupsd_lpd_exec_t)
')
@@ -5232,7 +5293,7 @@
########################################
#
# HPLIP local policy
-@@ -523,11 +543,9 @@
+@@ -523,11 +544,9 @@
allow hplip_t cupsd_etc_t:dir search;
cups_stream_connect(hplip_t)
@@ -5247,7 +5308,7 @@
manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t)
files_pid_filetrans(hplip_t,hplip_var_run_t,file)
-@@ -558,7 +576,9 @@
+@@ -558,7 +577,9 @@
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
@@ -5258,7 +5319,7 @@
fs_getattr_all_fs(hplip_t)
fs_search_auto_mountpoints(hplip_t)
-@@ -585,8 +605,6 @@
+@@ -585,8 +606,6 @@
userdom_dontaudit_search_sysadm_home_dirs(hplip_t)
userdom_dontaudit_search_all_users_home_content(hplip_t)
@@ -5267,7 +5328,7 @@
optional_policy(`
seutil_sigchld_newrole(hplip_t)
')
-@@ -666,3 +684,15 @@
+@@ -666,3 +685,15 @@
optional_policy(`
udev_read_db(ptal_t)
')
@@ -6156,8 +6217,19 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.1.0/policy/modules/services/inetd.te
--- nsaserefpolicy/policy/modules/services/inetd.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/inetd.te 2007-11-08 13:24:56.000000000 -0500
-@@ -84,6 +84,7 @@
++++ serefpolicy-3.1.0/policy/modules/services/inetd.te 2007-11-12 11:36:04.000000000 -0500
+@@ -30,6 +30,10 @@
+ type inetd_child_var_run_t;
+ files_pid_file(inetd_child_var_run_t)
+
++ifdef(`enable_mcs',`
++ init_ranged_daemon_domain(inetd_t,inetd_exec_t,s0 - mcs_systemhigh)
++')
++
+ ########################################
+ #
+ # Local policy
+@@ -84,6 +88,7 @@
corenet_udp_bind_ftp_port(inetd_t)
corenet_tcp_bind_inetd_child_port(inetd_t)
corenet_udp_bind_inetd_child_port(inetd_t)
@@ -6165,7 +6237,7 @@
corenet_udp_bind_ktalkd_port(inetd_t)
corenet_tcp_bind_printer_port(inetd_t)
corenet_udp_bind_rlogind_port(inetd_t)
-@@ -137,6 +138,7 @@
+@@ -137,6 +142,7 @@
miscfiles_read_localization(inetd_t)
# xinetd needs MLS override privileges to work
@@ -6173,7 +6245,7 @@
mls_fd_share_all_levels(inetd_t)
mls_socket_read_to_clearance(inetd_t)
mls_socket_write_to_clearance(inetd_t)
-@@ -164,6 +166,7 @@
+@@ -164,6 +170,7 @@
')
optional_policy(`
@@ -6181,7 +6253,7 @@
unconfined_domtrans(inetd_t)
')
-@@ -180,6 +183,9 @@
+@@ -180,6 +187,9 @@
# for identd
allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow inetd_child_t self:capability { setuid setgid };
@@ -6191,7 +6263,7 @@
files_search_home(inetd_child_t)
manage_dirs_pattern(inetd_child_t,inetd_child_tmp_t,inetd_child_tmp_t)
-@@ -226,3 +232,7 @@
+@@ -226,3 +236,7 @@
optional_policy(`
unconfined_domain(inetd_child_t)
')
@@ -6209,19 +6281,22 @@
+/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.1.0/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2007-07-16 14:09:46.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/kerberos.if 2007-11-07 11:41:20.000000000 -0500
-@@ -42,6 +42,10 @@
- dontaudit $1 krb5_conf_t:file write;
++++ serefpolicy-3.1.0/policy/modules/services/kerberos.if 2007-11-12 16:50:13.000000000 -0500
+@@ -43,7 +43,13 @@
dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
-+
+
+ #kerberos libraries are attempting to set the correct file context
+ dontaudit $1 self:process setfscreate;
+ seutil_dontaudit_read_file_contexts($1)
-
++
tunable_policy(`allow_kerberos',`
++ fs_rw_tmpfs_files($1)
++
allow $1 self:tcp_socket create_socket_perms;
-@@ -61,9 +65,6 @@
+ allow $1 self:udp_socket create_socket_perms;
+
+@@ -61,11 +67,7 @@
corenet_tcp_connect_ocsp_port($1)
corenet_sendrecv_kerberos_client_packets($1)
corenet_sendrecv_ocsp_client_packets($1)
@@ -6229,9 +6304,11 @@
- sysnet_read_config($1)
- sysnet_dns_name_resolve($1)
')
-
+-
optional_policy(`
-@@ -172,3 +173,51 @@
+ tunable_policy(`allow_kerberos',`
+ pcscd_stream_connect($1)
+@@ -172,3 +174,51 @@
allow $1 krb5kdc_conf_t:file read_file_perms;
')
@@ -7488,6 +7565,17 @@
logrotate_exec(ntpd_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openct.te serefpolicy-3.1.0/policy/modules/services/openct.te
+--- nsaserefpolicy/policy/modules/services/openct.te 2007-10-12 08:56:07.000000000 -0400
++++ serefpolicy-3.1.0/policy/modules/services/openct.te 2007-11-12 10:46:57.000000000 -0500
+@@ -22,6 +22,7 @@
+ allow openct_t self:process signal_perms;
+
+ manage_files_pattern(openct_t,openct_var_run_t,openct_var_run_t)
++manage_sock_files_pattern(openct_t,openct_var_run_t,openct_var_run_t)
+ files_pid_filetrans(openct_t,openct_var_run_t,file)
+
+ kernel_read_kernel_sysctls(openct_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.1.0/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2007-10-29 07:52:49.000000000 -0400
+++ serefpolicy-3.1.0/policy/modules/services/openvpn.te 2007-11-07 15:47:03.000000000 -0500
@@ -8273,7 +8361,7 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.1.0/policy/modules/services/rlogin.te
--- nsaserefpolicy/policy/modules/services/rlogin.te 2007-10-02 09:54:52.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/rlogin.te 2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/rlogin.te 2007-11-12 10:59:25.000000000 -0500
@@ -36,6 +36,8 @@
allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr };
term_create_pty(rlogind_t,rlogind_devpts_t)
@@ -9720,7 +9808,7 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.1.0/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/ssh.te 2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/ssh.te 2007-11-12 11:36:01.000000000 -0500
@@ -24,7 +24,7 @@
# Type for the ssh-agent executable.
@@ -9988,7 +10076,7 @@
+miscfiles_read_certs(httpd_w3c_validator_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.1.0/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2007-10-15 16:11:05.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/xserver.fc 2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/xserver.fc 2007-11-12 11:55:11.000000000 -0500
@@ -32,11 +32,6 @@
/etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0)
@@ -10011,9 +10099,11 @@
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
/usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
-@@ -92,13 +88,16 @@
+@@ -91,14 +87,19 @@
+
/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
++/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0)
-/var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
@@ -10026,12 +10116,13 @@
/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
++/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0)
ifdef(`distro_suse',`
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.1.0/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/xserver.if 2007-11-08 14:26:18.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/xserver.if 2007-11-12 16:37:20.000000000 -0500
@@ -58,7 +58,6 @@
allow $1_xserver_t self:msg { send receive };
allow $1_xserver_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -10040,7 +10131,17 @@
allow $1_xserver_t self:tcp_socket create_stream_socket_perms;
allow $1_xserver_t self:udp_socket create_socket_perms;
-@@ -126,6 +125,9 @@
+@@ -116,8 +115,7 @@
+ dev_rw_agp($1_xserver_t)
+ dev_rw_framebuffer($1_xserver_t)
+ dev_manage_dri_dev($1_xserver_t)
+- dev_create_generic_dirs($1_xserver_t)
+- dev_setattr_generic_dirs($1_xserver_t)
++ dev_manage_generic_dirs($1_xserver_t)
+ # raw memory access is needed if not using the frame buffer
+ dev_read_raw_memory($1_xserver_t)
+ dev_wx_raw_memory($1_xserver_t)
+@@ -126,6 +124,9 @@
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev($1_xserver_t)
dev_rwx_zero($1_xserver_t)
@@ -10050,7 +10151,7 @@
domain_mmap_low($1_xserver_t)
-@@ -141,10 +143,14 @@
+@@ -141,10 +142,14 @@
fs_getattr_xattr_fs($1_xserver_t)
fs_search_nfs($1_xserver_t)
fs_search_auto_mountpoints($1_xserver_t)
@@ -10066,7 +10167,7 @@
term_setattr_unallocated_ttys($1_xserver_t)
term_use_unallocated_ttys($1_xserver_t)
-@@ -160,8 +166,6 @@
+@@ -160,8 +165,6 @@
seutil_dontaudit_search_config($1_xserver_t)
@@ -10075,7 +10176,7 @@
ifndef(`distro_redhat',`
allow $1_xserver_t self:process { execmem execheap execstack };
')
-@@ -179,14 +183,6 @@
+@@ -179,14 +182,6 @@
')
optional_policy(`
@@ -10090,7 +10191,7 @@
rhgb_getpgid($1_xserver_t)
rhgb_signal($1_xserver_t)
')
-@@ -251,7 +247,7 @@
+@@ -251,7 +246,7 @@
userdom_user_home_content($1,$1_fonts_cache_t)
type $1_fonts_config_t, fonts_config_type;
@@ -10099,7 +10200,7 @@
type $1_iceauth_t;
domain_type($1_iceauth_t)
-@@ -282,11 +278,14 @@
+@@ -282,11 +277,14 @@
domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
allow $1_xserver_t $1_xauth_home_t:file { getattr read };
@@ -10114,7 +10215,7 @@
manage_dirs_pattern($2,$1_fonts_t,$1_fonts_t)
manage_files_pattern($2,$1_fonts_t,$1_fonts_t)
-@@ -316,6 +315,7 @@
+@@ -316,6 +314,7 @@
userdom_use_user_ttys($1,$1_xserver_t)
userdom_setattr_user_ttys($1,$1_xserver_t)
userdom_rw_user_tmpfs_files($1,$1_xserver_t)
@@ -10122,7 +10223,7 @@
xserver_use_user_fonts($1,$1_xserver_t)
xserver_rw_xdm_tmp_files($1_xauth_t)
-@@ -353,12 +353,6 @@
+@@ -353,12 +352,6 @@
# allow ps to show xauth
ps_process_pattern($2,$1_xauth_t)
@@ -10135,7 +10236,7 @@
domain_use_interactive_fds($1_xauth_t)
files_read_etc_files($1_xauth_t)
-@@ -387,6 +381,14 @@
+@@ -387,6 +380,14 @@
')
optional_policy(`
@@ -10150,7 +10251,7 @@
nis_use_ypbind($1_xauth_t)
')
-@@ -536,17 +538,15 @@
+@@ -536,17 +537,15 @@
template(`xserver_user_client_template',`
gen_require(`
@@ -10174,7 +10275,7 @@
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
-@@ -555,25 +555,53 @@
+@@ -555,25 +554,53 @@
allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
@@ -10236,7 +10337,7 @@
')
')
-@@ -626,6 +654,24 @@
+@@ -626,6 +653,24 @@
########################################
## <summary>
@@ -10261,7 +10362,7 @@
## Transition to a user Xauthority domain.
## </summary>
## <desc>
-@@ -659,6 +705,73 @@
+@@ -659,6 +704,73 @@
########################################
## <summary>
@@ -10335,7 +10436,33 @@
## Transition to a user Xauthority domain.
## </summary>
## <desc>
-@@ -927,6 +1040,7 @@
+@@ -873,6 +985,25 @@
+
+ ########################################
+ ## <summary>
++## Connect to apmd over an unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xserver_stream_connect',`
++ gen_require(`
++ type xdm_xserver_t, xserver_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1,xserver_var_run_t,xserver_var_run_t,xdm_xserver_t)
++')
++
++########################################
++## <summary>
+ ## Read xdm-writable configuration files.
+ ## </summary>
+ ## <param name="domain">
+@@ -927,6 +1058,7 @@
files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@@ -10343,7 +10470,7 @@
')
########################################
-@@ -987,6 +1101,37 @@
+@@ -987,6 +1119,37 @@
########################################
## <summary>
@@ -10381,7 +10508,7 @@
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -1136,7 +1281,7 @@
+@@ -1136,7 +1299,7 @@
type xdm_xserver_tmp_t;
')
@@ -10390,7 +10517,7 @@
')
########################################
-@@ -1325,3 +1470,45 @@
+@@ -1325,3 +1488,45 @@
files_search_tmp($1)
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
')
@@ -10438,7 +10565,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.1.0/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-10-15 16:11:05.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/xserver.te 2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/xserver.te 2007-11-12 11:58:29.000000000 -0500
@@ -16,6 +16,13 @@
## <desc>
@@ -10453,7 +10580,20 @@
## Allow xdm logins as sysadm
## </p>
## </desc>
-@@ -96,7 +103,7 @@
+@@ -56,6 +63,12 @@
+ type xdm_var_run_t;
+ files_pid_file(xdm_var_run_t)
+
++type xserver_var_run_t;
++files_pid_file(xserver_var_run_t)
++
++type xdm_var_run_t;
++files_pid_file(xdm_var_run_t)
++
+ type xdm_tmp_t;
+ files_tmp_file(xdm_tmp_t)
+ typealias xdm_tmp_t alias ice_tmp_t;
+@@ -96,7 +109,7 @@
#
allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
@@ -10462,7 +10602,7 @@
allow xdm_t self:fifo_file rw_fifo_file_perms;
allow xdm_t self:shm create_shm_perms;
allow xdm_t self:sem create_sem_perms;
-@@ -132,15 +139,20 @@
+@@ -132,15 +145,20 @@
manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
@@ -10484,7 +10624,7 @@
allow xdm_t xdm_xserver_t:process signal;
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
-@@ -185,6 +197,7 @@
+@@ -185,6 +203,7 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_all_nodes(xdm_t)
corenet_udp_bind_all_nodes(xdm_t)
@@ -10492,7 +10632,7 @@
corenet_tcp_connect_all_ports(xdm_t)
corenet_sendrecv_all_client_packets(xdm_t)
# xdm tries to bind to biff_port_t
-@@ -197,6 +210,7 @@
+@@ -197,6 +216,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@@ -10500,7 +10640,7 @@
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -246,6 +260,7 @@
+@@ -246,6 +266,7 @@
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
@@ -10508,7 +10648,7 @@
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -257,6 +272,7 @@
+@@ -257,6 +278,7 @@
libs_exec_lib_files(xdm_t)
logging_read_generic_logs(xdm_t)
@@ -10516,7 +10656,7 @@
miscfiles_read_localization(xdm_t)
miscfiles_read_fonts(xdm_t)
-@@ -271,6 +287,10 @@
+@@ -271,6 +293,10 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -10527,7 +10667,7 @@
xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
-@@ -306,6 +326,10 @@
+@@ -306,6 +332,10 @@
optional_policy(`
consolekit_dbus_chat(xdm_t)
@@ -10538,7 +10678,7 @@
')
optional_policy(`
-@@ -348,8 +372,8 @@
+@@ -348,8 +378,8 @@
')
optional_policy(`
@@ -10548,7 +10688,7 @@
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -385,7 +409,7 @@
+@@ -385,7 +415,7 @@
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
@@ -10557,7 +10697,23 @@
# Label pid and temporary files with derived types.
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-@@ -425,6 +449,14 @@
+@@ -397,6 +427,15 @@
+ can_exec(xdm_xserver_t, xkb_var_lib_t)
+ files_search_var_lib(xdm_xserver_t)
+
++manage_dirs_pattern(xdm_xserver_t,xserver_var_lib_t,xserver_var_lib_t)
++manage_files_pattern(xdm_xserver_t,xserver_var_lib_t,xserver_var_lib_t)
++files_var_lib_filetrans(xdm_xserver_t,xserver_var_lib_t,dir)
++
++manage_dirs_pattern(xdm_xserver_t,xserver_var_run_t,xserver_var_run_t)
++manage_files_pattern(xdm_xserver_t,xserver_var_run_t,xserver_var_run_t)
++manage_sock_files_pattern(xdm_xserver_t,xdm_var_run_t,xdm_var_run_t)
++files_pid_filetrans(xdm_xserver_t,xserver_var_run_t,dir)
++
+ # VNC v4 module in X server
+ corenet_tcp_bind_vnc_port(xdm_xserver_t)
+
+@@ -425,6 +464,14 @@
')
optional_policy(`
@@ -10572,7 +10728,7 @@
resmgr_stream_connect(xdm_t)
')
-@@ -434,47 +466,31 @@
+@@ -434,47 +481,31 @@
')
optional_policy(`
@@ -10597,6 +10753,11 @@
+ # xserver signals unconfined user on startx
+ unconfined_signal(xdm_xserver_t)
+ unconfined_getpgid(xdm_xserver_t)
++')
++
++
++tunable_policy(`allow_xserver_execmem', `
++ allow xdm_xserver_t self:process { execheap execmem execstack };
')
-ifdef(`TODO',`
@@ -10620,11 +10781,6 @@
-allow xdm_t polymember:lnk_file { create unlink };
-# xdm needs access for copying .Xauthority into new home
-allow xdm_t polymember:file { create getattr write };
-+
-+tunable_policy(`allow_xserver_execmem', `
-+ allow xdm_xserver_t self:process { execheap execmem execstack };
-+')
-+
+ifndef(`distro_redhat',`
+ allow xdm_xserver_t self:process { execheap execmem };
+')
@@ -10810,7 +10966,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.1.0/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/system/authlogin.te 2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/system/authlogin.te 2007-11-12 12:07:41.000000000 -0500
@@ -59,6 +59,9 @@
type utempter_exec_t;
application_domain(utempter_t,utempter_exec_t)
@@ -10831,6 +10987,17 @@
########################################
#
# PAM local policy
+@@ -287,8 +293,8 @@
+ files_manage_etc_files(updpwd_t)
+
+ term_dontaudit_use_console(updpwd_t)
+-term_dontaudit_use_console(updpwd_t)
+-term_dontaudit_use_unallocated_ttys(updpwd_t)
++term_dontaudit_use_all_user_ptys(updpwd_t)
++term_dontaudit_use_all_user_ttys(updpwd_t)
+
+ auth_manage_shadow(updpwd_t)
+ auth_use_nsswitch(updpwd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.1.0/policy/modules/system/fstools.fc
--- nsaserefpolicy/policy/modules/system/fstools.fc 2007-09-26 12:15:01.000000000 -0400
+++ serefpolicy-3.1.0/policy/modules/system/fstools.fc 2007-11-06 09:28:35.000000000 -0500
@@ -11288,7 +11455,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.1.0/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2007-10-29 07:52:50.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/system/init.te 2007-11-08 13:26:15.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/system/init.te 2007-11-12 11:17:51.000000000 -0500
@@ -10,6 +10,20 @@
# Declarations
#
@@ -12377,7 +12544,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.1.0/policy/modules/system/raid.te
--- nsaserefpolicy/policy/modules/system/raid.te 2007-10-12 08:56:08.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/system/raid.te 2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/system/raid.te 2007-11-12 10:43:40.000000000 -0500
@@ -19,7 +19,7 @@
# Local policy
#
@@ -12395,6 +12562,14 @@
fs_search_auto_mountpoints(mdadm_t)
fs_dontaudit_list_tmpfs(mdadm_t)
+@@ -85,3 +86,7 @@
+ optional_policy(`
+ udev_read_db(mdadm_t)
+ ')
++
++optional_policy(`
++ unconfined_domain(mdadm_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.1.0/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2007-05-18 11:12:44.000000000 -0400
+++ serefpolicy-3.1.0/policy/modules/system/selinuxutil.fc 2007-11-06 09:28:35.000000000 -0500
@@ -12684,7 +12859,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.1.0/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-10-12 08:56:08.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/system/selinuxutil.te 2007-11-09 14:28:06.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/system/selinuxutil.te 2007-11-12 11:41:33.000000000 -0500
@@ -76,7 +76,6 @@
type restorecond_exec_t;
init_daemon_domain(restorecond_t,restorecond_exec_t)
@@ -12704,7 +12879,15 @@
type semanage_store_t;
files_type(semanage_store_t)
-@@ -194,10 +197,19 @@
+@@ -170,6 +173,7 @@
+ files_read_etc_runtime_files(load_policy_t)
+
+ fs_getattr_xattr_fs(load_policy_t)
++fs_list_inotifyfs(load_policy_t)
+
+ mls_file_read_all_levels(load_policy_t)
+
+@@ -194,10 +198,19 @@
# cjp: cover up stray file descriptors.
dontaudit load_policy_t selinux_config_t:file write;
optional_policy(`
@@ -12725,7 +12908,7 @@
########################################
#
# Newrole local policy
-@@ -215,7 +227,7 @@
+@@ -215,7 +228,7 @@
allow newrole_t self:msg { send receive };
allow newrole_t self:unix_dgram_socket sendto;
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -12734,7 +12917,7 @@
read_files_pattern(newrole_t,selinux_config_t,selinux_config_t)
read_lnk_files_pattern(newrole_t,selinux_config_t,selinux_config_t)
-@@ -252,7 +264,9 @@
+@@ -252,7 +265,9 @@
term_getattr_unallocated_ttys(newrole_t)
term_dontaudit_use_unallocated_ttys(newrole_t)
@@ -12744,7 +12927,7 @@
auth_rw_faillog(newrole_t)
corecmd_list_bin(newrole_t)
-@@ -273,6 +287,7 @@
+@@ -273,6 +288,7 @@
libs_use_ld_so(newrole_t)
libs_use_shared_libs(newrole_t)
@@ -12752,7 +12935,7 @@
logging_send_syslog_msg(newrole_t)
miscfiles_read_localization(newrole_t)
-@@ -294,14 +309,6 @@
+@@ -294,14 +310,6 @@
files_polyinstantiate_all(newrole_t)
')
@@ -12767,7 +12950,7 @@
########################################
#
# Restorecond local policy
-@@ -309,11 +316,12 @@
+@@ -309,11 +317,12 @@
allow restorecond_t self:capability { dac_override dac_read_search fowner };
allow restorecond_t self:fifo_file rw_fifo_file_perms;
@@ -12781,7 +12964,7 @@
kernel_use_fds(restorecond_t)
kernel_rw_pipes(restorecond_t)
kernel_read_system_state(restorecond_t)
-@@ -343,15 +351,12 @@
+@@ -343,15 +352,12 @@
miscfiles_read_localization(restorecond_t)
@@ -12799,7 +12982,7 @@
#################################
#
-@@ -361,7 +366,7 @@
+@@ -361,7 +367,7 @@
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file rw_file_perms;
@@ -12808,7 +12991,7 @@
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
-@@ -375,6 +380,7 @@
+@@ -375,6 +381,7 @@
term_dontaudit_list_ptys(run_init_t)
auth_domtrans_chk_passwd(run_init_t)
@@ -12816,7 +12999,7 @@
auth_dontaudit_read_shadow(run_init_t)
corecmd_exec_bin(run_init_t)
-@@ -425,75 +431,49 @@
+@@ -425,75 +432,49 @@
########################################
#
@@ -12917,7 +13100,7 @@
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
-@@ -519,7 +499,12 @@
+@@ -519,7 +500,12 @@
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir list_dir_perms;
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file read_file_perms;
@@ -12931,7 +13114,7 @@
kernel_read_system_state(setfiles_t)
kernel_relabelfrom_unlabeled_dirs(setfiles_t)
-@@ -537,6 +522,7 @@
+@@ -537,6 +523,7 @@
fs_getattr_xattr_fs(setfiles_t)
fs_list_all(setfiles_t)
@@ -12939,7 +13122,7 @@
fs_search_auto_mountpoints(setfiles_t)
fs_relabelfrom_noxattr_fs(setfiles_t)
-@@ -590,8 +576,16 @@
+@@ -590,8 +577,16 @@
fs_relabel_tmpfs_chr_file(setfiles_t)
')
@@ -13438,7 +13621,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.1.0/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-10-12 08:56:08.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/system/unconfined.te 2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/system/unconfined.te 2007-11-12 10:02:01.000000000 -0500
@@ -5,17 +5,18 @@
#
# Declarations
More information about the fedora-extras-commits
mailing list