rpms/selinux-policy/devel policy-20070703.patch,1.64,1.65
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Thu Sep 20 20:41:53 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv7257
Modified Files:
policy-20070703.patch
Log Message:
* Wed Sep 19 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-4
- Fix to add xguest account when inititial install
- Allow mono, java, wine to run in userdomains
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20070703.patch,v
retrieving revision 1.64
retrieving revision 1.65
diff -u -r1.64 -r1.65
--- policy-20070703.patch 20 Sep 2007 17:21:13 -0000 1.64
+++ policy-20070703.patch 20 Sep 2007 20:41:50 -0000 1.65
@@ -5184,7 +5184,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.0.8/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/dbus.if 2007-09-20 12:01:41.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/dbus.if 2007-09-20 15:31:09.000000000 -0400
@@ -50,6 +50,12 @@
## </param>
#
@@ -5206,6 +5206,15 @@
allow $1_dbusd_t self:file { getattr read write };
allow $1_dbusd_t self:fifo_file rw_fifo_file_perms;
allow $1_dbusd_t self:dbus { send_msg acquire_svc };
+@@ -86,7 +93,7 @@
+ # SE-DBus specific permissions
+ allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
+ allow $2 $1_dbusd_t:dbus { send_msg acquire_svc };
+- allow $1_t system_dbusd_t:dbus { send_msg acquire_svc };
++ allow $2 system_dbusd_t:dbus { send_msg acquire_svc };
+
+ allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
+ read_files_pattern($1_dbusd_t,dbusd_etc_t,dbusd_etc_t)
@@ -135,7 +142,21 @@
selinux_compute_relabel_context($1_dbusd_t)
selinux_compute_user_contexts($1_dbusd_t)
@@ -5213,12 +5222,12 @@
+ corecmd_bin_domtrans($1_dbusd_t, $1_t)
+ allow $1_dbusd_t $1_t:process sigkill;
+
-+ allow $1_t $1_dbusd_t:fd use;
-+ allow $1_t $1_dbusd_t:fifo_file rw_fifo_file_perms;
-+ allow $1_t $1_dbusd_t:process sigchld;
++ allow $2 $1_dbusd_t:fd use;
++ allow $2 $1_dbusd_t:fifo_file rw_fifo_file_perms;
++ allow $2 $1_dbusd_t:process sigchld;
+
+ ifdef(`hide_broken_symptoms', `
-+ dontaudit $1_t $1_dbusd_t:netlink_selinux_socket { read write };
++ dontaudit $2 $1_dbusd_t:netlink_selinux_socket { read write };
+ ');
+
+ userdom_read_user_home_content_files($1, $1_dbusd_t)
@@ -9530,7 +9539,7 @@
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.8/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-09-20 12:07:15.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-09-20 15:27:25.000000000 -0400
@@ -126,6 +126,8 @@
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev($1_xserver_t)
@@ -9611,7 +9620,7 @@
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
-@@ -555,25 +559,52 @@
+@@ -555,25 +559,53 @@
allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
@@ -9649,6 +9658,7 @@
+ optional_policy(`
+ userdom_read_all_users_home_content_files(xdm_t)
+ userdom_read_all_users_home_content_files(xdm_xserver_t)
++ userdom_rw_user_tmpfs_files($1, xdm_xserver_t)
+#Compiler is broken so these wont work
+ gnome_read_user_gnome_config($1, xdm_t)
+ gnome_read_user_gnome_config($1, xdm_xserver_t)
@@ -9672,7 +9682,7 @@
')
')
-@@ -626,6 +657,24 @@
+@@ -626,6 +658,24 @@
########################################
## <summary>
@@ -9697,7 +9707,7 @@
## Transition to a user Xauthority domain.
## </summary>
## <desc>
-@@ -659,6 +708,73 @@
+@@ -659,6 +709,73 @@
########################################
## <summary>
@@ -9771,7 +9781,7 @@
## Transition to a user Xauthority domain.
## </summary>
## <desc>
-@@ -927,6 +1043,7 @@
+@@ -927,6 +1044,7 @@
files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@@ -9779,7 +9789,7 @@
')
########################################
-@@ -987,6 +1104,37 @@
+@@ -987,6 +1105,37 @@
########################################
## <summary>
@@ -9817,7 +9827,7 @@
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -1136,7 +1284,7 @@
+@@ -1136,7 +1285,7 @@
type xdm_xserver_tmp_t;
')
@@ -9826,7 +9836,7 @@
')
########################################
-@@ -1325,3 +1473,62 @@
+@@ -1325,3 +1474,62 @@
files_search_tmp($1)
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
')
@@ -9891,7 +9901,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-08-22 07:14:07.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-09-20 10:44:00.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-09-20 15:44:32.000000000 -0400
@@ -16,6 +16,13 @@
## <desc>
@@ -9951,7 +9961,11 @@
miscfiles_read_localization(xdm_t)
miscfiles_read_fonts(xdm_t)
-@@ -271,6 +285,10 @@
+@@ -268,9 +282,14 @@
+ userdom_create_all_users_keys(xdm_t)
+ # for .dmrc
+ userdom_read_unpriv_users_home_content_files(xdm_t)
++
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -9962,7 +9976,7 @@
xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
-@@ -306,6 +324,11 @@
+@@ -306,6 +325,11 @@
optional_policy(`
consolekit_dbus_chat(xdm_t)
@@ -9974,7 +9988,7 @@
')
optional_policy(`
-@@ -348,12 +371,8 @@
+@@ -348,12 +372,8 @@
')
optional_policy(`
@@ -9988,7 +10002,7 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
-@@ -385,7 +404,7 @@
+@@ -385,7 +405,7 @@
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
@@ -9997,7 +10011,7 @@
# Label pid and temporary files with derived types.
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-@@ -425,6 +444,10 @@
+@@ -425,6 +445,10 @@
')
optional_policy(`
@@ -10008,7 +10022,7 @@
resmgr_stream_connect(xdm_t)
')
-@@ -434,47 +457,19 @@
+@@ -434,47 +458,19 @@
')
optional_policy(`
@@ -10109,7 +10123,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-08-22 07:14:13.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-09-20 11:14:45.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-09-20 16:27:52.000000000 -0400
@@ -26,7 +26,8 @@
type $1_chkpwd_t, can_read_shadow_passwords;
application_domain($1_chkpwd_t,chkpwd_exec_t)
@@ -10140,7 +10154,7 @@
domain_type($1)
domain_subj_id_change_exemption($1)
-@@ -176,11 +177,24 @@
+@@ -176,11 +177,23 @@
domain_obj_id_change_exemption($1)
role system_r types $1;
@@ -10150,7 +10164,6 @@
+
+ auth_keyring_domain($1)
+ allow $1 keyring_type:key { search link };
-+ auth_domtrans_chk_passwd($1)
+
+ files_list_var_lib($1)
+ manage_files_pattern($1, var_auth_t, var_auth_t)
@@ -10165,7 +10178,7 @@
selinux_get_fs_mount($1)
selinux_validate_context($1)
selinux_compute_access_vector($1)
-@@ -196,22 +210,33 @@
+@@ -196,22 +209,33 @@
mls_fd_share_all_levels($1)
auth_domtrans_chk_passwd($1)
@@ -10200,7 +10213,7 @@
')
')
-@@ -309,9 +334,6 @@
+@@ -309,9 +333,6 @@
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
')
@@ -10210,7 +10223,7 @@
corecmd_search_bin($1)
domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
-@@ -329,6 +351,7 @@
+@@ -329,6 +350,7 @@
optional_policy(`
kerberos_use($1)
@@ -10218,7 +10231,7 @@
')
optional_policy(`
-@@ -347,6 +370,37 @@
+@@ -347,6 +369,37 @@
########################################
## <summary>
@@ -10256,7 +10269,7 @@
## Get the attributes of the shadow passwords file.
## </summary>
## <param name="domain">
-@@ -695,6 +749,24 @@
+@@ -695,6 +748,24 @@
########################################
## <summary>
@@ -10281,7 +10294,7 @@
## Execute pam programs in the PAM domain.
## </summary>
## <param name="domain">
-@@ -1318,14 +1390,9 @@
+@@ -1318,14 +1389,9 @@
## </param>
#
interface(`auth_use_nsswitch',`
@@ -10296,7 +10309,7 @@
files_list_var_lib($1)
miscfiles_read_certs($1)
-@@ -1381,3 +1448,163 @@
+@@ -1381,3 +1447,163 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -11327,8 +11340,8 @@
+/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.0.8/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2007-09-12 10:34:51.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/logging.if 2007-09-17 16:20:18.000000000 -0400
-@@ -33,8 +33,13 @@
++++ serefpolicy-3.0.8/policy/modules/system/logging.if 2007-09-20 15:21:10.000000000 -0400
+@@ -33,8 +33,27 @@
## </param>
#
interface(`logging_send_audit_msgs',`
@@ -11340,10 +11353,24 @@
allow $1 self:capability audit_write;
- allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+ allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
++')
++
++#######################################
++## <summary>
++## dontaudit attempts to send audit messages.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`logging_dontaudit_send_audit_msgs',`
++ dontaudit $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
')
########################################
-@@ -238,6 +243,63 @@
+@@ -238,6 +257,63 @@
########################################
## <summary>
@@ -11407,7 +11434,7 @@
## Create an object in the log directory, with a private
## type using a type transition.
## </summary>
-@@ -470,7 +532,7 @@
+@@ -470,7 +546,7 @@
files_search_var($1)
allow $1 var_log_t:dir list_dir_perms;
@@ -11416,7 +11443,7 @@
')
########################################
-@@ -514,6 +576,8 @@
+@@ -514,6 +590,8 @@
files_search_var($1)
manage_files_pattern($1,logfile,logfile)
read_lnk_files_pattern($1,logfile,logfile)
@@ -11425,7 +11452,7 @@
')
########################################
-@@ -597,3 +661,258 @@
+@@ -597,3 +675,258 @@
files_search_var($1)
manage_files_pattern($1,var_log_t,var_log_t)
')
@@ -13219,16 +13246,16 @@
+corecmd_exec_all_executables(unconfined_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.0.8/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2007-05-29 14:10:58.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.fc 2007-09-17 16:20:18.000000000 -0400
-@@ -1,4 +1,5 @@
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.fc 2007-09-20 15:47:36.000000000 -0400
+@@ -1,4 +1,4 @@
HOME_DIR -d gen_context(system_u:object_r:ROLE_home_dir_t,s0-mls_systemhigh)
+HOME_DIR -l gen_context(system_u:object_r:ROLE_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+ gen_context(system_u:object_r:ROLE_home_t,s0)
-
+-
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-09-20 12:06:52.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-09-20 15:46:46.000000000 -0400
@@ -29,8 +29,9 @@
')
@@ -14121,7 +14148,19 @@
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1894,10 +1979,46 @@
+@@ -1642,9 +1727,11 @@
+ template(`userdom_user_home_content',`
+ gen_require(`
+ attribute $1_file_type;
++ attribute user_home_type;
+ ')
+
+ typeattribute $2 $1_file_type;
++ typeattribute $2 user_home_type;
+ files_type($2)
+ ')
+
+@@ -1894,10 +1981,46 @@
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
type $1_home_dir_t, $1_home_t;
@@ -14169,7 +14208,7 @@
')
########################################
-@@ -3078,7 +3199,7 @@
+@@ -3078,7 +3201,7 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -14178,7 +14217,7 @@
')
files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -4615,6 +4736,24 @@
+@@ -4615,6 +4738,24 @@
files_list_home($1)
allow $1 home_dir_type:dir search_dir_perms;
')
@@ -14203,7 +14242,7 @@
########################################
## <summary>
-@@ -4633,6 +4772,14 @@
+@@ -4633,6 +4774,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -14218,7 +14257,7 @@
')
########################################
-@@ -5323,7 +5470,7 @@
+@@ -5323,7 +5472,7 @@
attribute user_tmpfile;
')
@@ -14227,7 +14266,7 @@
')
########################################
-@@ -5559,3 +5706,375 @@
+@@ -5559,3 +5708,376 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -14417,13 +14456,14 @@
+# Should be optional but policy will not build because of compiler problems
+# Must be before xwindows calls
+#optional_policy(`
-+ gnome_per_role_template($1, $1_t, $1_r)
-+ gnome_exec_gconf($1_t)
++ gnome_per_role_template($1, $1_usertype, $1_r)
++ gnome_exec_gconf($1_usertype)
+#')
+
+userdom_xwindows_client_template($1)
+
+logging_send_syslog_msg($1_usertype)
++logging_dontaudit_send_audit_msgs($1_usertype)
+
+optional_policy(`
+ alsa_read_rw_config($1_usertype)
@@ -14448,7 +14488,7 @@
+')
+
+optional_policy(`
-+ consolekit_dontaudit_dbus_chat($1_usertype)
++ consolekit_dbus_chat($1_usertype)
+')
+
+optional_policy(`
More information about the fedora-extras-commits
mailing list