rpms/selinux-policy/devel policy-20070703.patch, 1.101, 1.102 selinux-policy.spec, 1.551, 1.552

Mon Oct 22 14:27:32 UTC 2007

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv27053

Modified Files:
	policy-20070703.patch selinux-policy.spec 
Log Message:
* Mon Oct 22 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-29
- Allow XServer to read /proc/self/cmdline


policy-20070703.patch:

Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20070703.patch,v
retrieving revision 1.101
retrieving revision 1.102
diff -u -r1.101 -r1.102

--- policy-20070703.patch	19 Oct 2007 21:21:40 -0000	1.101
+++ policy-20070703.patch	22 Oct 2007 14:27:28 -0000	1.102
@@ -766,7 +766,7 @@
 +/bin/alsaunmute		--	gen_context(system_u:object_r:alsa_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if serefpolicy-3.0.8/policy/modules/admin/alsa.if
 --- nsaserefpolicy/policy/modules/admin/alsa.if	2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/alsa.if	2007-10-03 11:10:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/alsa.if	2007-10-22 10:19:13.000000000 -0400
 @@ -74,3 +74,39 @@
  	read_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t)
  	read_lnk_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t)
@@ -7735,7 +7735,7 @@
  /var/run/vbestate 	--			gen_context(system_u:object_r:hald_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.0.8/policy/modules/services/hal.te
 --- nsaserefpolicy/policy/modules/services/hal.te	2007-09-12 10:34:50.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/hal.te	2007-10-19 15:06:33.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/hal.te	2007-10-22 10:00:45.000000000 -0400
 @@ -49,6 +49,9 @@
  type hald_var_lib_t;
  files_type(hald_var_lib_t)
@@ -7780,11 +7780,13 @@
  allow hald_acl_t self:fifo_file read_fifo_file_perms;
  
  domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
-@@ -341,9 +348,12 @@
+@@ -340,10 +347,14 @@
+ manage_files_pattern(hald_mac_t,hald_var_lib_t,hald_var_lib_t)
  files_search_var_lib(hald_mac_t)
  
++dev_read_raw_memory(hald_mac_t)
  dev_write_raw_memory(hald_mac_t)
-+dev_read_sysfs(hald_t)
++dev_read_sysfs(hald_mac_t)
  
  files_read_usr_files(hald_mac_t)
  
@@ -11707,7 +11709,7 @@
  /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.8/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.if	2007-10-19 16:57:07.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/xserver.if	2007-10-22 10:05:16.000000000 -0400
 @@ -126,6 +126,8 @@
  	# read events - the synaptics touchpad driver reads raw events
  	dev_rw_input_dev($1_xserver_t)
@@ -11740,7 +11742,7 @@
  
  	type $1_iceauth_t;
  	domain_type($1_iceauth_t)
-@@ -282,6 +286,7 @@
+@@ -282,11 +286,14 @@
  	domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
  
  	allow $1_xserver_t $1_xauth_home_t:file { getattr read };
@@ -11748,7 +11750,22 @@
  
  	domtrans_pattern($2, xserver_exec_t, $1_xserver_t)
  	allow $1_xserver_t $2:process signal;
-@@ -353,12 +358,6 @@
+ 
+ 	allow $1_xserver_t $2:shm rw_shm_perms;
++	# Certain X Libraries want to read /proc/self/cmdline when started with startx
++	allow $1_xserver_t $2:file r_file_perms;
+ 
+ 	manage_dirs_pattern($2,$1_fonts_t,$1_fonts_t)
+ 	manage_files_pattern($2,$1_fonts_t,$1_fonts_t)
+@@ -316,6 +323,7 @@
+ 	userdom_use_user_ttys($1,$1_xserver_t)
+ 	userdom_setattr_user_ttys($1,$1_xserver_t)
+ 	userdom_rw_user_tmpfs_files($1,$1_xserver_t)
++	userdom_rw_user_tmp_files($1,$1_xserver_t)
+ 
+ 	xserver_use_user_fonts($1,$1_xserver_t)
+ 	xserver_rw_xdm_tmp_files($1_xauth_t)
+@@ -353,12 +361,6 @@
  	# allow ps to show xauth
  	ps_process_pattern($2,$1_xauth_t)
  
@@ -11761,7 +11778,7 @@
  	domain_use_interactive_fds($1_xauth_t)
  
  	files_read_etc_files($1_xauth_t)
-@@ -387,6 +386,14 @@
+@@ -387,6 +389,14 @@
  	')
  
  	optional_policy(`
@@ -11776,7 +11793,7 @@
  		nis_use_ypbind($1_xauth_t)
  	')
  
-@@ -537,16 +544,14 @@
+@@ -537,16 +547,14 @@
  
  	gen_require(`
  		type xdm_t, xdm_tmp_t;
@@ -11798,7 +11815,7 @@
  
  	# for when /tmp/.X11-unix is created by the system
  	allow $2 xdm_t:fd use;
-@@ -555,25 +560,53 @@
+@@ -555,25 +563,53 @@
  	allow $2 xdm_tmp_t:sock_file { read write };
  	dontaudit $2 xdm_t:tcp_socket { read write };
  
@@ -11860,7 +11877,7 @@
  	')
  ')
  
-@@ -626,6 +659,24 @@
+@@ -626,6 +662,24 @@
  
  ########################################
  ## <summary>
@@ -11885,7 +11902,7 @@
  ##	Transition to a user Xauthority domain.
  ## </summary>
  ## <desc>
-@@ -659,6 +710,73 @@
+@@ -659,6 +713,73 @@
  
  ########################################
  ## <summary>
@@ -11959,7 +11976,7 @@
  ##	Transition to a user Xauthority domain.
  ## </summary>
  ## <desc>
-@@ -927,6 +1045,7 @@
+@@ -927,6 +1048,7 @@
  	files_search_tmp($1)
  	allow $1 xdm_tmp_t:dir list_dir_perms;
  	create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@@ -11967,7 +11984,7 @@
  ')
  
  ########################################
-@@ -987,6 +1106,37 @@
+@@ -987,6 +1109,37 @@
  
  ########################################
  ## <summary>
@@ -12005,7 +12022,7 @@
  ##	Make an X session script an entrypoint for the specified domain.
  ## </summary>
  ## <param name="domain">
-@@ -1136,7 +1286,7 @@
+@@ -1136,7 +1289,7 @@
  		type xdm_xserver_tmp_t;
  	')
  
@@ -12014,7 +12031,7 @@
  ')
  
  ########################################
-@@ -1325,3 +1475,63 @@
+@@ -1325,3 +1478,63 @@
  	files_search_tmp($1)
  	stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
  ')
@@ -12080,7 +12097,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2007-08-22 07:14:07.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.te	2007-10-19 14:06:25.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/xserver.te	2007-10-22 10:06:42.000000000 -0400
 @@ -16,6 +16,13 @@
  
  ## <desc>
@@ -15565,7 +15582,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.0.8/policy/modules/system/udev.te
 --- nsaserefpolicy/policy/modules/system/udev.te	2007-09-12 10:34:51.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/udev.te	2007-10-18 17:22:34.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/udev.te	2007-10-22 10:19:23.000000000 -0400
 @@ -132,6 +132,7 @@
  
  init_read_utmp(udev_t)
@@ -15574,20 +15591,21 @@
  
  libs_use_ld_so(udev_t)
  libs_use_shared_libs(udev_t)
-@@ -184,6 +185,12 @@
+@@ -184,6 +185,13 @@
  ')
  
  optional_policy(`
 +	alsa_domtrans(udev_t)
 +	alsa_search_lib(udev_t)
 +	alsa_read_lib(udev_t)
++	alsa_read_rw_config(udev_t)
 +')
 +
 +optional_policy(`
  	brctl_domtrans(udev_t)
  ')
  
-@@ -220,6 +227,10 @@
+@@ -220,6 +228,10 @@
  ')
  
  optional_policy(`


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.551
retrieving revision 1.552
diff -u -r1.551 -r1.552
--- selinux-policy.spec	19 Oct 2007 21:21:40 -0000	1.551
+++ selinux-policy.spec	22 Oct 2007 14:27:29 -0000	1.552
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.8
-Release: 28%{?dist}
+Release: 29%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -373,6 +373,9 @@
 %endif
 
 %changelog
+* Mon Oct 22 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-29
+- Allow XServer to read /proc/self/cmdline
+
 * Fri Oct 17 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-28
 - Fixes for hald_mac 
 - Treat unconfined_home_dir_t as a home dir


