rpms/selinux-policy/devel policy-20070703.patch, 1.49, 1.50 selinux-policy.spec, 1.516, 1.517
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Fri Sep 7 19:03:15 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv13792
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Fri Sep 7 2007 Dan Walsh <dwalsh at redhat.com> 3.0.7-6
- Allow wine to run in system role
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20070703.patch,v
retrieving revision 1.49
retrieving revision 1.50
diff -u -r1.49 -r1.50
--- policy-20070703.patch 6 Sep 2007 23:34:02 -0000 1.49
+++ policy-20070703.patch 7 Sep 2007 19:03:11 -0000 1.50
@@ -2401,9 +2401,20 @@
+ role $2 types wine_t;
+ allow wine_t $3:chr_file rw_term_perms;
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.0.7/policy/modules/apps/wine.te
+--- nsaserefpolicy/policy/modules/apps/wine.te 2007-07-25 10:37:37.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/apps/wine.te 2007-09-07 09:04:03.000000000 -0400
+@@ -9,6 +9,7 @@
+ type wine_t;
+ type wine_exec_t;
+ application_domain(wine_t,wine_exec_t)
++role system_r types wine_t;
+
+ ########################################
+ #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.0.7/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-08-22 07:14:06.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/kernel/corecommands.fc 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/kernel/corecommands.fc 2007-09-07 13:47:17.000000000 -0400
@@ -36,6 +36,11 @@
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -2437,6 +2448,14 @@
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
+@@ -259,3 +265,7 @@
+ ifdef(`distro_suse',`
+ /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
+ ')
++
++/etc/gdm/XKeepsCrashing[^/]* -- gen_context(system_u:object_r:bin_t,s0)
++/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
++/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.0.7/policy/modules/kernel/corenetwork.if.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2007-07-03 07:05:38.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/kernel/corenetwork.if.in 2007-09-06 15:43:06.000000000 -0400
@@ -2486,7 +2505,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.0.7/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-07-03 07:05:38.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/kernel/corenetwork.te.in 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/kernel/corenetwork.te.in 2007-09-07 15:02:19.000000000 -0400
@@ -55,6 +55,11 @@
type reserved_port_t, port_type, reserved_port_type;
@@ -2528,11 +2547,21 @@
network_port(nessus, tcp,1241,s0)
network_port(netsupport, tcp,5405,s0, udp,5405,s0)
network_port(nmbd, udp,137,s0, udp,138,s0)
-@@ -160,13 +166,17 @@
+@@ -146,7 +152,7 @@
+ network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
+ network_port(spamd, tcp,783,s0)
+ network_port(ssh, tcp,22,s0)
+-network_port(soundd, tcp,8000,s0, tcp,9433,s0)
++network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
+ type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
+ type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
+ network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
+@@ -160,13 +166,18 @@
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
network_port(vnc, tcp,5900,s0)
+network_port(wccp, udp,2048,s0)
++network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
-network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0)
+network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0, tcp,6020,s0)
@@ -5920,7 +5949,7 @@
allow $1 self:tcp_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.0.7/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/kerberos.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/services/kerberos.te 2007-09-07 10:31:47.000000000 -0400
@@ -62,7 +62,7 @@
# Use capabilities. Surplus capabilities may be allowed.
allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
@@ -5964,6 +5993,15 @@
')
optional_policy(`
+@@ -151,7 +157,7 @@
+ # Use capabilities. Surplus capabilities may be allowed.
+ allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
+ dontaudit krb5kdc_t self:capability sys_tty_config;
+-allow krb5kdc_t self:process { setsched getsched signal_perms };
++allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms };
+ allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
+ allow krb5kdc_t self:tcp_socket create_stream_socket_perms;
+ allow krb5kdc_t self:udp_socket create_socket_perms;
@@ -223,6 +229,7 @@
miscfiles_read_localization(krb5kdc_t)
@@ -5972,6 +6010,14 @@
userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t)
+@@ -233,6 +240,7 @@
+
+ optional_policy(`
+ seutil_sigchld_newrole(krb5kdc_t)
++ seutil_read_file_contexts(krb5kdc_t)
+ ')
+
+ optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.0.7/policy/modules/services/ktalk.te
--- nsaserefpolicy/policy/modules/services/ktalk.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/services/ktalk.te 2007-09-06 15:43:06.000000000 -0400
@@ -7732,7 +7778,7 @@
fs_search_auto_mountpoints($1_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.7/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/rpc.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/services/rpc.te 2007-09-07 10:32:33.000000000 -0400
@@ -59,10 +59,14 @@
manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
@@ -7782,16 +7828,17 @@
')
tunable_policy(`nfs_export_all_ro',`
-@@ -143,6 +154,8 @@
+@@ -143,6 +154,9 @@
manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t)
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
+auth_use_nsswitch(gssd_t)
+
++kernel_read_system_state(gssd_t)
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_search_network_sysctl(gssd_t)
-@@ -158,6 +171,9 @@
+@@ -158,6 +172,9 @@
miscfiles_read_certs(gssd_t)
@@ -9287,7 +9334,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.7/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-08-22 07:14:07.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/xserver.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/services/xserver.te 2007-09-07 15:02:10.000000000 -0400
@@ -16,6 +16,13 @@
## <desc>
@@ -9323,7 +9370,15 @@
allow xdm_t xdm_xserver_t:process signal;
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
-@@ -246,6 +257,7 @@
+@@ -189,6 +200,7 @@
+ corenet_sendrecv_all_client_packets(xdm_t)
+ # xdm tries to bind to biff_port_t
+ corenet_dontaudit_tcp_bind_all_ports(xdm_t)
++corenet_udp_bind_xdmcp_ports(xdm_t)
+
+ dev_read_rand(xdm_t)
+ dev_read_sysfs(xdm_t)
+@@ -246,6 +258,7 @@
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
@@ -9331,7 +9386,7 @@
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -257,6 +269,7 @@
+@@ -257,6 +270,7 @@
libs_exec_lib_files(xdm_t)
logging_read_generic_logs(xdm_t)
@@ -9339,7 +9394,7 @@
miscfiles_read_localization(xdm_t)
miscfiles_read_fonts(xdm_t)
-@@ -271,6 +284,10 @@
+@@ -271,6 +285,10 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -9350,7 +9405,7 @@
xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
-@@ -306,6 +323,8 @@
+@@ -306,6 +324,8 @@
optional_policy(`
consolekit_dbus_chat(xdm_t)
@@ -9359,7 +9414,7 @@
')
optional_policy(`
-@@ -348,12 +367,8 @@
+@@ -348,12 +368,8 @@
')
optional_policy(`
@@ -9373,7 +9428,7 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
-@@ -385,7 +400,7 @@
+@@ -385,7 +401,7 @@
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
@@ -9382,7 +9437,7 @@
# Label pid and temporary files with derived types.
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-@@ -425,6 +440,10 @@
+@@ -425,6 +441,10 @@
')
optional_policy(`
@@ -9393,7 +9448,7 @@
resmgr_stream_connect(xdm_t)
')
-@@ -434,47 +453,19 @@
+@@ -434,47 +454,19 @@
')
optional_policy(`
@@ -11333,7 +11388,7 @@
/etc/lvm/lock(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.0.7/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/lvm.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/system/lvm.te 2007-09-07 09:00:42.000000000 -0400
@@ -150,7 +150,9 @@
# DAC overrides and mknod for modifying /dev entries (vgmknodes)
@@ -11362,7 +11417,16 @@
term_getattr_all_user_ttys(lvm_t)
term_list_ptys(lvm_t)
-@@ -293,5 +298,15 @@
+@@ -275,6 +280,8 @@
+ seutil_search_default_contexts(lvm_t)
+ seutil_sigchld_newrole(lvm_t)
+
++userdom_dontaudit_search_sysadm_home_dirs(lvm_t)
++
+ ifdef(`distro_redhat',`
+ # this is from the initrd:
+ files_rw_isid_type_dirs(lvm_t)
+@@ -293,5 +300,15 @@
')
optional_policy(`
@@ -13971,7 +14035,25 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.0.7/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/xen.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/system/xen.te 2007-09-07 08:48:47.000000000 -0400
+@@ -95,7 +95,7 @@
+ read_lnk_files_pattern(xend_t,xen_image_t,xen_image_t)
+ rw_blk_files_pattern(xend_t,xen_image_t,xen_image_t)
+
+-allow xend_t xenctl_t:fifo_file manage_file_perms;
++allow xend_t xenctl_t:fifo_file manage_fifo_file_perms;
+ dev_filetrans(xend_t, xenctl_t, fifo_file)
+
+ manage_files_pattern(xend_t,xend_tmp_t,xend_tmp_t)
+@@ -126,7 +126,7 @@
+ domain_auto_trans(xend_t, xenstored_exec_t, xenstored_t)
+ allow xenstored_t xend_t:fd use;
+ allow xenstored_t xend_t:process sigchld;
+-allow xenstored_t xend_t:fifo_file write;
++allow xenstored_t xend_t:fifo_file write_fifo_file_perms;
+
+ # transition to console
+ domain_auto_trans(xend_t, xenconsoled_exec_t, xenconsoled_t)
@@ -176,6 +176,7 @@
files_manage_etc_runtime_files(xend_t)
files_etc_filetrans_etc_runtime(xend_t,file)
@@ -13980,6 +14062,15 @@
storage_raw_read_fixed_disk(xend_t)
storage_raw_write_fixed_disk(xend_t)
+@@ -224,7 +225,7 @@
+
+ allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
+ allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
+-allow xenconsoled_t self:fifo_file { read write };
++allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
+
+ allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
+
@@ -257,7 +258,7 @@
miscfiles_read_localization(xenconsoled_t)
@@ -13998,7 +14089,14 @@
allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
allow xenstored_t self:unix_dgram_socket create_socket_perms;
-@@ -324,6 +325,7 @@
+@@ -318,12 +319,13 @@
+ allow xm_t self:capability { dac_override ipc_lock sys_tty_config };
+
+ # internal communication is often done using fifo and unix sockets.
+-allow xm_t self:fifo_file { read write };
++allow xm_t self:fifo_file rw_fifo_file_perms;
+ allow xm_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow xm_t self:tcp_socket create_stream_socket_perms;
manage_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t)
manage_fifo_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.516
retrieving revision 1.517
diff -u -r1.516 -r1.517
--- selinux-policy.spec 6 Sep 2007 23:34:02 -0000 1.516
+++ selinux-policy.spec 7 Sep 2007 19:03:11 -0000 1.517
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.7
-Release: 5%{?dist}
+Release: 6%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -362,6 +362,9 @@
%endif
%changelog
+* Fri Sep 7 2007 Dan Walsh <dwalsh at redhat.com> 3.0.7-6
+- Allow wine to run in system role
+
* Thu Sep 6 2007 Dan Walsh <dwalsh at redhat.com> 3.0.7-5
- Fix java labeling
More information about the fedora-extras-commits
mailing list