rpms/selinux-policy/devel policy-20071130.patch, 1.83, 1.84 selinux-policy.spec, 1.621, 1.622
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Thu Feb 28 21:51:14 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv7357
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Thu Feb 28 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-7
-
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.83
retrieving revision 1.84
diff -u -r1.83 -r1.84
--- policy-20071130.patch 28 Feb 2008 05:01:51 -0000 1.83
+++ policy-20071130.patch 28 Feb 2008 21:51:10 -0000 1.84
@@ -2276,7 +2276,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.3.1/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2007-12-19 05:32:18.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/admin/rpm.te 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/admin/rpm.te 2008-02-28 15:36:54.000000000 -0500
@@ -31,6 +31,9 @@
files_type(rpm_var_lib_t)
typealias rpm_var_lib_t alias var_lib_rpm_t;
@@ -6744,7 +6744,7 @@
type lvm_control_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.3.1/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2007-12-19 05:32:07.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/domain.te 2008-02-26 21:27:47.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/kernel/domain.te 2008-02-28 13:12:42.000000000 -0500
@@ -5,6 +5,13 @@
#
# Declarations
@@ -6784,7 +6784,7 @@
allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
-@@ -148,3 +157,27 @@
+@@ -148,3 +157,28 @@
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -6812,6 +6812,7 @@
+ unconfined_dontaudit_rw_pipes(domain)
+ unconfined_sigchld(domain)
+')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.3.1/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-29 18:02:31.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/kernel/files.if 2008-02-26 16:54:46.000000000 -0500
@@ -8096,7 +8097,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.3.1/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-02-27 17:28:38.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-02-28 16:49:32.000000000 -0500
@@ -20,6 +20,8 @@
# Declarations
#
@@ -8192,12 +8193,13 @@
# httpd_modules_t is the type given to module files (libraries)
# that come with Apache /etc/httpd/modules and /usr/lib/apache
type httpd_modules_t;
-@@ -202,12 +233,15 @@
+@@ -202,12 +233,16 @@
prelink_object_file(httpd_modules_t)
')
+apache_content_template(user)
+userdom_user_home_content(user,httpd_user_content_t)
++typealias httpd_user_content_t alias httpd_unconfined_content_t;
+
########################################
#
@@ -8209,7 +8211,7 @@
dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
-@@ -249,6 +283,7 @@
+@@ -249,6 +284,7 @@
allow httpd_t httpd_modules_t:dir list_dir_perms;
mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
@@ -8217,7 +8219,7 @@
apache_domtrans_rotatelogs(httpd_t)
# Apache-httpd needs to be able to send signals to the log rotate procs.
-@@ -289,6 +324,7 @@
+@@ -289,6 +325,7 @@
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -8225,7 +8227,7 @@
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -315,9 +351,7 @@
+@@ -315,9 +352,7 @@
auth_use_nsswitch(httpd_t)
@@ -8236,7 +8238,7 @@
domain_use_interactive_fds(httpd_t)
-@@ -335,6 +369,10 @@
+@@ -335,6 +370,10 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -8247,7 +8249,7 @@
libs_use_ld_so(httpd_t)
libs_use_shared_libs(httpd_t)
-@@ -351,25 +389,38 @@
+@@ -351,25 +390,38 @@
userdom_use_unpriv_users_fds(httpd_t)
@@ -8291,7 +8293,7 @@
tunable_policy(`httpd_can_network_relay',`
# allow httpd to work as a relay
corenet_tcp_connect_gopher_port(httpd_t)
-@@ -382,6 +433,10 @@
+@@ -382,6 +434,10 @@
corenet_sendrecv_http_cache_client_packets(httpd_t)
')
@@ -8302,7 +8304,7 @@
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
-@@ -399,11 +454,21 @@
+@@ -399,11 +455,21 @@
fs_read_nfs_symlinks(httpd_t)
')
@@ -8324,7 +8326,7 @@
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -437,8 +502,14 @@
+@@ -437,8 +503,14 @@
')
optional_policy(`
@@ -8340,7 +8342,7 @@
')
optional_policy(`
-@@ -450,19 +521,13 @@
+@@ -450,19 +522,13 @@
')
optional_policy(`
@@ -8361,7 +8363,7 @@
')
optional_policy(`
-@@ -472,13 +537,14 @@
+@@ -472,13 +538,14 @@
openca_kill(httpd_t)
')
@@ -8380,7 +8382,7 @@
')
optional_policy(`
-@@ -486,6 +552,7 @@
+@@ -486,6 +553,7 @@
')
optional_policy(`
@@ -8388,7 +8390,7 @@
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -521,6 +588,19 @@
+@@ -521,6 +589,19 @@
userdom_use_sysadm_terms(httpd_helper_t)
')
@@ -8408,7 +8410,7 @@
########################################
#
# Apache PHP script local policy
-@@ -550,18 +630,24 @@
+@@ -550,18 +631,24 @@
fs_search_auto_mountpoints(httpd_php_t)
@@ -8436,7 +8438,7 @@
')
########################################
-@@ -585,6 +671,8 @@
+@@ -585,6 +672,8 @@
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -8445,7 +8447,7 @@
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -593,9 +681,7 @@
+@@ -593,9 +682,7 @@
fs_search_auto_mountpoints(httpd_suexec_t)
@@ -8456,7 +8458,7 @@
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -628,6 +714,7 @@
+@@ -628,6 +715,7 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -8464,7 +8466,7 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
')
-@@ -638,6 +725,12 @@
+@@ -638,6 +726,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -8477,7 +8479,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -655,10 +748,6 @@
+@@ -655,10 +749,6 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -8488,7 +8490,7 @@
########################################
#
# Apache system script local policy
-@@ -668,7 +757,8 @@
+@@ -668,7 +758,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -8498,7 +8500,7 @@
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -682,15 +772,44 @@
+@@ -682,15 +773,44 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -8544,7 +8546,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -700,9 +819,15 @@
+@@ -700,9 +820,15 @@
clamav_domtrans_clamscan(httpd_sys_script_t)
')
@@ -8560,7 +8562,7 @@
')
########################################
-@@ -724,3 +849,46 @@
+@@ -724,3 +850,46 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -11280,7 +11282,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.3.1/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/cvs.te 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/cvs.te 2008-02-28 15:30:50.000000000 -0500
@@ -28,6 +28,9 @@
type cvs_var_run_t;
files_pid_file(cvs_var_run_t)
@@ -13254,7 +13256,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.3.1/policy/modules/services/fail2ban.te
--- nsaserefpolicy/policy/modules/services/fail2ban.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/fail2ban.te 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/fail2ban.te 2008-02-28 15:39:03.000000000 -0500
@@ -18,6 +18,9 @@
type fail2ban_var_run_t;
files_pid_file(fail2ban_var_run_t)
@@ -13276,7 +13278,20 @@
kernel_read_system_state(fail2ban_t)
-@@ -55,6 +59,8 @@
+@@ -47,14 +51,20 @@
+
+ files_read_etc_files(fail2ban_t)
+ files_read_usr_files(fail2ban_t)
++files_list_var(fail2ban_t)
++files_search_var_lib(fail2ban_t)
++
++fs_search_inotifyfs(fail2ban_t)
+
+ libs_use_ld_so(fail2ban_t)
+ libs_use_shared_libs(fail2ban_t)
+
+-logging_read_generic_logs(fail2ban_t)
++logging_read_all_logs(fail2ban_t)
miscfiles_read_localization(fail2ban_t)
@@ -22702,7 +22717,7 @@
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-02-27 23:02:25.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-02-28 09:30:18.000000000 -0500
@@ -15,6 +15,11 @@
template(`xserver_common_domain_template',`
gen_require(`
@@ -23153,7 +23168,7 @@
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
-@@ -542,25 +539,360 @@
+@@ -542,25 +539,364 @@
allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
@@ -23298,6 +23313,10 @@
+ # everyone can get the input focus of everyone else
+ # this is a fundamental brokenness in the X protocol
+ allow $3 { x_domain x_server_domain }:x_device { getfocus setfocus use setattr bell manage freeze getattr grab };
++ tunable_policy(`allow_read_x_device',`
++ allow $3 { x_domain x_server_domain }:x_device read;
++ ')
++
+ # everyone can grab the server
+ # everyone does it, it is basically a free DOS attack
+ allow $3 x_server_domain:x_server grab;
@@ -23520,7 +23539,7 @@
')
')
-@@ -593,26 +925,44 @@
+@@ -593,26 +929,44 @@
#
template(`xserver_use_user_fonts',`
gen_require(`
@@ -23572,7 +23591,7 @@
## Transition to a user Xauthority domain.
## </summary>
## <desc>
-@@ -638,10 +988,77 @@
+@@ -638,10 +992,77 @@
#
template(`xserver_domtrans_user_xauth',`
gen_require(`
@@ -23652,7 +23671,7 @@
')
########################################
-@@ -671,10 +1088,10 @@
+@@ -671,10 +1092,10 @@
#
template(`xserver_user_home_dir_filetrans_user_xauth',`
gen_require(`
@@ -23665,7 +23684,7 @@
')
########################################
-@@ -760,7 +1177,7 @@
+@@ -760,7 +1181,7 @@
type xconsole_device_t;
')
@@ -23674,7 +23693,7 @@
')
########################################
-@@ -860,6 +1277,25 @@
+@@ -860,6 +1281,25 @@
########################################
## <summary>
@@ -23700,7 +23719,7 @@
## Read xdm-writable configuration files.
## </summary>
## <param name="domain">
-@@ -914,6 +1350,7 @@
+@@ -914,6 +1354,7 @@
files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@@ -23708,7 +23727,7 @@
')
########################################
-@@ -955,6 +1392,24 @@
+@@ -955,6 +1396,24 @@
########################################
## <summary>
@@ -23733,7 +23752,7 @@
## Execute the X server in the XDM X server domain.
## </summary>
## <param name="domain">
-@@ -965,15 +1420,47 @@
+@@ -965,15 +1424,47 @@
#
interface(`xserver_domtrans_xdm_xserver',`
gen_require(`
@@ -23782,7 +23801,7 @@
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -1123,7 +1610,7 @@
+@@ -1123,7 +1614,7 @@
type xdm_xserver_tmp_t;
')
@@ -23791,7 +23810,7 @@
')
########################################
-@@ -1312,3 +1799,108 @@
+@@ -1312,3 +1803,108 @@
files_search_tmp($1)
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
')
@@ -23902,8 +23921,23 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-02-27 23:17:59.000000000 -0500
-@@ -16,21 +16,79 @@
++++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-02-28 16:46:06.000000000 -0500
+@@ -8,6 +8,14 @@
+
+ ## <desc>
+ ## <p>
++## Allows X clients to read the x devices (keyboard/mouse)
++## </p>
++## </desc>
++gen_tunable(allow_read_x_device,true)
++
++
++## <desc>
++## <p>
+ ## Allows clients to write to the X server shared
+ ## memory segments.
+ ## </p>
+@@ -16,21 +24,79 @@
## <desc>
## <p>
@@ -23985,7 +24019,7 @@
# this is not actually a device, its a pipe
type xconsole_device_t;
-@@ -56,6 +114,12 @@
+@@ -56,6 +122,12 @@
type xdm_var_run_t;
files_pid_file(xdm_var_run_t)
@@ -23998,7 +24032,7 @@
type xdm_tmp_t;
files_tmp_file(xdm_tmp_t)
typealias xdm_tmp_t alias ice_tmp_t;
-@@ -78,7 +142,31 @@
+@@ -78,7 +150,31 @@
type xserver_log_t;
logging_log_file(xserver_log_t)
@@ -24030,7 +24064,7 @@
init_system_domain(xdm_xserver_t,xserver_exec_t)
ifdef(`enable_mcs',`
-@@ -95,8 +183,9 @@
+@@ -95,8 +191,9 @@
# XDM Local policy
#
@@ -24042,7 +24076,7 @@
allow xdm_t self:fifo_file rw_fifo_file_perms;
allow xdm_t self:shm create_shm_perms;
allow xdm_t self:sem create_sem_perms;
-@@ -109,6 +198,8 @@
+@@ -109,6 +206,8 @@
allow xdm_t self:key { search link write };
allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
@@ -24051,7 +24085,7 @@
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -131,15 +222,22 @@
+@@ -131,15 +230,22 @@
manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
@@ -24075,7 +24109,7 @@
allow xdm_t xdm_xserver_t:process signal;
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
-@@ -153,6 +251,7 @@
+@@ -153,6 +259,7 @@
allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
allow xdm_t xdm_xserver_t:shm rw_shm_perms;
@@ -24083,7 +24117,7 @@
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
-@@ -173,6 +272,8 @@
+@@ -173,6 +280,8 @@
corecmd_exec_shell(xdm_t)
corecmd_exec_bin(xdm_t)
@@ -24092,7 +24126,7 @@
corenet_all_recvfrom_unlabeled(xdm_t)
corenet_all_recvfrom_netlabel(xdm_t)
-@@ -184,6 +285,7 @@
+@@ -184,6 +293,7 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_all_nodes(xdm_t)
corenet_udp_bind_all_nodes(xdm_t)
@@ -24100,7 +24134,7 @@
corenet_tcp_connect_all_ports(xdm_t)
corenet_sendrecv_all_client_packets(xdm_t)
# xdm tries to bind to biff_port_t
-@@ -196,6 +298,7 @@
+@@ -196,6 +306,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@@ -24108,7 +24142,7 @@
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -208,8 +311,8 @@
+@@ -208,8 +319,8 @@
dev_setattr_video_dev(xdm_t)
dev_getattr_scanner_dev(xdm_t)
dev_setattr_scanner_dev(xdm_t)
@@ -24119,7 +24153,7 @@
dev_getattr_power_mgmt_dev(xdm_t)
dev_setattr_power_mgmt_dev(xdm_t)
-@@ -226,6 +329,7 @@
+@@ -226,6 +337,7 @@
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -24127,7 +24161,7 @@
fs_getattr_all_fs(xdm_t)
fs_search_auto_mountpoints(xdm_t)
-@@ -245,6 +349,7 @@
+@@ -245,6 +357,7 @@
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
@@ -24135,7 +24169,7 @@
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -256,12 +361,11 @@
+@@ -256,12 +369,11 @@
libs_exec_lib_files(xdm_t)
logging_read_generic_logs(xdm_t)
@@ -24149,7 +24183,7 @@
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_dontaudit_search_sysadm_home_dirs(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -270,8 +374,13 @@
+@@ -270,8 +382,13 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -24163,7 +24197,7 @@
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_t)
-@@ -304,7 +413,11 @@
+@@ -304,7 +421,11 @@
')
optional_policy(`
@@ -24176,7 +24210,7 @@
')
optional_policy(`
-@@ -312,6 +425,23 @@
+@@ -312,6 +433,23 @@
')
optional_policy(`
@@ -24200,7 +24234,7 @@
# Talk to the console mouse server.
gpm_stream_connect(xdm_t)
gpm_setattr_gpmctl(xdm_t)
-@@ -322,6 +452,10 @@
+@@ -322,6 +460,10 @@
')
optional_policy(`
@@ -24211,7 +24245,7 @@
loadkeys_exec(xdm_t)
')
-@@ -335,6 +469,11 @@
+@@ -335,6 +477,11 @@
')
optional_policy(`
@@ -24223,18 +24257,17 @@
seutil_sigchld_newrole(xdm_t)
')
-@@ -343,8 +482,9 @@
+@@ -343,8 +490,8 @@
')
optional_policy(`
- unconfined_domain(xdm_t)
-+ unconfined_domain(xdm_xserver_t)
unconfined_domtrans(xdm_t)
+ unconfined_signal(xdm_t)
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -380,7 +520,7 @@
+@@ -380,7 +527,7 @@
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
@@ -24243,7 +24276,7 @@
# Label pid and temporary files with derived types.
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-@@ -392,6 +532,15 @@
+@@ -392,6 +539,15 @@
can_exec(xdm_xserver_t, xkb_var_lib_t)
files_search_var_lib(xdm_xserver_t)
@@ -24259,7 +24292,7 @@
# VNC v4 module in X server
corenet_tcp_bind_vnc_port(xdm_xserver_t)
-@@ -404,9 +553,17 @@
+@@ -404,9 +560,17 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
@@ -24277,7 +24310,7 @@
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_xserver_t)
fs_manage_nfs_files(xdm_xserver_t)
-@@ -420,6 +577,22 @@
+@@ -420,6 +584,22 @@
')
optional_policy(`
@@ -24300,7 +24333,7 @@
resmgr_stream_connect(xdm_t)
')
-@@ -429,47 +602,125 @@
+@@ -429,47 +609,138 @@
')
optional_policy(`
@@ -24309,30 +24342,21 @@
+ rpm_dontaudit_rw_shm(xdm_xserver_t)
+ rpm_rw_tmpfs_files(xdm_xserver_t)
+')
-+
+
+- ifndef(`distro_redhat',`
+- allow xdm_xserver_t self:process { execheap execmem };
+- ')
+optional_policy(`
+ unconfined_rw_shm(xdm_xserver_t)
+ unconfined_execmem_rw_shm(xdm_xserver_t)
+ unconfined_rw_tmpfs_files(xdm_xserver_t)
-- ifndef(`distro_redhat',`
+- ifdef(`distro_rhel4',`
- allow xdm_xserver_t self:process { execheap execmem };
- ')
+ # xserver signals unconfined user on startx
+ unconfined_signal(xdm_xserver_t)
+ unconfined_getpgid(xdm_xserver_t)
-+')
-
-- ifdef(`distro_rhel4',`
-- allow xdm_xserver_t self:process { execheap execmem };
-- ')
-+
-+tunable_policy(`allow_xserver_execmem', `
-+ allow xdm_xserver_t self:process { execheap execmem execstack };
-+')
-+
-+ifndef(`distro_redhat',`
-+ allow xdm_xserver_t self:process { execheap execmem };
')
-ifdef(`TODO',`
@@ -24356,16 +24380,24 @@
-allow xdm_t polymember:lnk_file { create unlink };
-# xdm needs access for copying .Xauthority into new home
-allow xdm_t polymember:file { create getattr write };
-+ifdef(`distro_rhel4',`
-+ allow xdm_xserver_t self:process { execheap execmem };
++
++tunable_policy(`allow_xserver_execmem', `
++ allow xdm_xserver_t self:process { execheap execmem execstack };
')
++ifndef(`distro_redhat',`
++ allow xdm_xserver_t self:process { execheap execmem };
++')
++
++ifdef(`distro_rhel4',`
++ allow xdm_xserver_t self:process { execheap execmem };
++')
++
+##############################
#
-# Wants to delete .xsession-errors file
+# xauth_t Local policy
- #
--allow xdm_t user_home_type:file unlink;
++#
+domtrans_pattern(xdm_xserver_t, xauth_exec_t, xauth_t)
+
+userdom_user_home_dir_filetrans(user,xauth_t,user_xauth_home_t,file)
@@ -24412,11 +24444,10 @@
+
+##############################
#
--# Should fix exec of pam_timestamp_check is not closing xdm file descriptor
+-allow xdm_t user_home_type:file unlink;
+# iceauth_t Local policy
#
--allow pam_t xdm_t:fifo_file { getattr ioctl write };
--') dnl end TODO
+-# Should fix exec of pam_timestamp_check is not closing xdm file descriptor
+
+allow iceauth_t user_iceauth_home_t:file manage_file_perms;
+userdom_user_home_dir_filetrans($1,iceauth_t,user_iceauth_home_t,file)
@@ -24440,7 +24471,9 @@
+userdom_sysadm_home_dir_filetrans(xauth_t, admin_xauth_home_t, file)
+
+########################################
-+#
+ #
+-allow pam_t xdm_t:fifo_file { getattr ioctl write };
+-') dnl end TODO
+# Rules for unconfined access to this module
+#
+
@@ -24459,6 +24492,19 @@
+allow xserver_unconfined_type { x_domain x_server_domain self }:x_resource *;
+allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
+
++gen_require(`
++ attribute domain;
++')
++
++allow xserver_unconfined_type domain:x_resource *;
++allow xserver_unconfined_type domain:{ x_event x_synthetic_event } *;
++allow xserver_unconfined_type domain:x_drawable *;
++
++
++tunable_policy(`allow_read_x_device',`
++ allow xserver_unconfined_type { x_domain x_server_domain self }:x_device read;
++')
++
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabbix.fc serefpolicy-3.3.1/policy/modules/services/zabbix.fc
--- nsaserefpolicy/policy/modules/services/zabbix.fc 2007-04-11 15:52:54.000000000 -0400
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.621
retrieving revision 1.622
diff -u -r1.621 -r1.622
--- selinux-policy.spec 28 Feb 2008 05:01:51 -0000 1.621
+++ selinux-policy.spec 28 Feb 2008 21:51:10 -0000 1.622
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 6%{?dist}
+Release: 7%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -388,6 +388,9 @@
%endif
%changelog
+* Thu Feb 28 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-7
+-
+
* Wed Feb 27 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-6
- Prepare policy for beta release
- Change some of the system domains back to unconfined
More information about the fedora-extras-commits
mailing list