rpms/selinux-policy/F-8 policy-20070703.patch, 1.191, 1.192 selinux-policy.spec, 1.617, 1.618
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Thu Mar 6 21:56:00 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv16234
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Thu Mar 4 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-92
- Fix openoffice policy to allow it to run from firefox on xguest
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.191
retrieving revision 1.192
diff -u -r1.191 -r1.192
--- policy-20070703.patch 4 Mar 2008 22:08:07 -0000 1.191
+++ policy-20070703.patch 6 Mar 2008 21:55:53 -0000 1.192
@@ -3043,7 +3043,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.0.8/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2007-10-22 13:21:41.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/java.fc 2008-02-06 09:05:24.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/apps/java.fc 2008-03-06 11:18:15.000000000 -0500
@@ -11,6 +11,7 @@
#
/usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
@@ -3052,7 +3052,7 @@
/usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0)
-@@ -20,5 +21,11 @@
+@@ -20,5 +21,13 @@
/usr/bin/grmic -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/grmiregistry -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0)
@@ -3064,11 +3064,13 @@
+/opt/matlab(/.*)?/bin(/.*)?/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+
-+/usr/lib(64)?/openoffice\.org/program/soffice\.bin -- gen_context(system_u:object_r:java_exec_t,s0)
++/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:java_exec_t,s0)
++/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:java_exec_t,s0)
++
+/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.0.8/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/java.if 2008-01-28 10:57:36.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/apps/java.if 2008-03-06 11:16:06.000000000 -0500
@@ -32,7 +32,7 @@
## </summary>
## </param>
@@ -3095,16 +3097,25 @@
allow $1_javaplugin_t $2:unix_stream_socket connectto;
allow $1_javaplugin_t $2:unix_stream_socket { read write };
userdom_write_user_tmp_sockets($1,$1_javaplugin_t)
-@@ -81,8 +84,7 @@
+@@ -69,6 +72,7 @@
+ manage_dirs_pattern($1_javaplugin_t,$1_javaplugin_tmp_t,$1_javaplugin_tmp_t)
+ manage_files_pattern($1_javaplugin_t,$1_javaplugin_tmp_t,$1_javaplugin_tmp_t)
+ files_tmp_filetrans($1_javaplugin_t,$1_javaplugin_tmp_t,{ file dir })
++ allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute;
+
+ manage_files_pattern($1_javaplugin_t,$1_javaplugin_tmpfs_t,$1_javaplugin_tmpfs_t)
+ manage_lnk_files_pattern($1_javaplugin_t,$1_javaplugin_tmpfs_t,$1_javaplugin_tmpfs_t)
+@@ -81,9 +85,7 @@
can_exec($1_javaplugin_t, java_exec_t)
- # The user role is authorized for this domain.
- domain_auto_trans($1_t, java_exec_t, $1_javaplugin_t)
-+ domain_auto_trans($2, java_exec_t, $1_javaplugin_t)
- allow $1_javaplugin_t $2:fd use;
+- allow $1_javaplugin_t $2:fd use;
++ domtrans_pattern($2, java_exec_t, $1_javaplugin_t)
# Unrestricted inheritance from the caller.
allow $2 $1_javaplugin_t:process { noatsecure siginh rlimitinh };
+ allow $1_javaplugin_t $2:process signull;
@@ -94,7 +96,7 @@
kernel_read_system_state($1_javaplugin_t)
@@ -3148,7 +3159,16 @@
userdom_dontaudit_use_user_terminals($1,$1_javaplugin_t)
userdom_dontaudit_setattr_user_home_content_files($1,$1_javaplugin_t)
userdom_dontaudit_exec_user_home_content_files($1,$1_javaplugin_t)
-@@ -166,6 +177,62 @@
+@@ -147,8 +158,6 @@
+ tunable_policy(`allow_java_execstack',`
+ allow $1_javaplugin_t self:process execstack;
+
+- allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute;
+-
+ libs_legacy_use_shared_libs($1_javaplugin_t)
+ libs_legacy_use_ld_so($1_javaplugin_t)
+
+@@ -166,6 +175,62 @@
optional_policy(`
xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t)
')
@@ -3211,7 +3231,7 @@
')
########################################
-@@ -219,3 +286,66 @@
+@@ -219,3 +284,66 @@
corecmd_search_bin($1)
domtrans_pattern($1, java_exec_t, java_t)
')
@@ -4136,7 +4156,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc 2008-02-19 09:59:23.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc 2008-03-06 10:57:37.000000000 -0500
@@ -7,6 +7,7 @@
/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -4211,7 +4231,15 @@
ifdef(`distro_gentoo', `
/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -259,3 +270,23 @@
+@@ -188,6 +199,7 @@
+
+ ifdef(`distro_redhat', `
+ /usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/vmware-tools/sbin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+@@ -259,3 +271,23 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -5525,7 +5553,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.8/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2008-02-26 17:48:01.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2008-03-06 10:50:53.000000000 -0500
@@ -271,45 +271,6 @@
########################################
@@ -5756,7 +5784,15 @@
interface(`fs_dontaudit_read_ramfs_files',`
gen_require(`
type ramfs_t;
-@@ -3206,6 +3305,7 @@
+@@ -2885,6 +2984,7 @@
+ type tmpfs_t;
+ ')
+
++ dontaudit $1 tmpfs_t:dir rw_dir_perms;
+ dontaudit $1 tmpfs_t:file rw_file_perms;
+ ')
+
+@@ -3206,6 +3306,7 @@
')
allow $1 filesystem_type:filesystem getattr;
@@ -5764,7 +5800,7 @@
')
########################################
-@@ -3322,6 +3422,24 @@
+@@ -3322,6 +3423,24 @@
########################################
## <summary>
@@ -5789,7 +5825,7 @@
## List all directories with a filesystem type.
## </summary>
## <param name="domain">
-@@ -3533,3 +3651,62 @@
+@@ -3533,3 +3652,62 @@
relabelfrom_blk_files_pattern($1,noxattrfs,noxattrfs)
relabelfrom_chr_files_pattern($1,noxattrfs,noxattrfs)
')
@@ -10140,7 +10176,7 @@
+/var/run/fail2ban\.sock -s gen_context(system_u:object_r:fail2ban_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.0.8/policy/modules/services/fail2ban.te
--- nsaserefpolicy/policy/modules/services/fail2ban.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/fail2ban.te 2008-03-04 16:29:48.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/fail2ban.te 2008-03-06 16:54:33.000000000 -0500
@@ -1,5 +1,5 @@
-policy_module(fail2ban,1.0.0)
@@ -10159,7 +10195,7 @@
kernel_read_system_state(fail2ban_t)
-@@ -47,14 +48,20 @@
+@@ -47,14 +48,23 @@
files_read_etc_files(fail2ban_t)
files_read_usr_files(fail2ban_t)
@@ -10167,6 +10203,9 @@
+files_search_var_lib(fail2ban_t)
+
+fs_list_inotifyfs(fail2ban_t)
++
++auth_use_nsswitch(fail2ban_t)
++corenet_tcp_connect_whois_port(fail2ban_t)
libs_use_ld_so(fail2ban_t)
libs_use_shared_libs(fail2ban_t)
@@ -10181,6 +10220,18 @@
optional_policy(`
apache_read_log(fail2ban_t)
')
+@@ -64,5 +74,11 @@
+ ')
+
+ optional_policy(`
++ gamin_domtrans(fail2ban_t)
++ gamin_stream_connect(fail2ban_t)
++')
++
++optional_policy(`
+ iptables_domtrans(fail2ban_t)
+ ')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.0.8/policy/modules/services/fetchmail.te
--- nsaserefpolicy/policy/modules/services/fetchmail.te 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/fetchmail.te 2008-01-17 09:03:07.000000000 -0500
@@ -10289,6 +10340,97 @@
')
optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.fc serefpolicy-3.0.8/policy/modules/services/gamin.fc
+--- nsaserefpolicy/policy/modules/services/gamin.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/gamin.fc 2008-03-06 16:51:35.000000000 -0500
+@@ -0,0 +1,2 @@
++
++/usr/libexec/gam_server -- gen_context(system_u:object_r:gamin_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.if serefpolicy-3.0.8/policy/modules/services/gamin.if
+--- nsaserefpolicy/policy/modules/services/gamin.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/gamin.if 2008-03-06 16:51:35.000000000 -0500
+@@ -0,0 +1,39 @@
++
++## <summary>policy for gamin</summary>
++
++########################################
++## <summary>
++## Execute a domain transition to run gamin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`gamin_domtrans',`
++ gen_require(`
++ type gamin_t;
++ type gamin_exec_t;
++ ')
++
++ domtrans_pattern($1,gamin_exec_t,gamin_t)
++')
++
++########################################
++## <summary>
++## Connect to gamin over an unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gamin_stream_connect',`
++ gen_require(`
++ type gamin_t;
++ ')
++
++ allow $1 gamin_t:unix_stream_socket connectto;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.te serefpolicy-3.0.8/policy/modules/services/gamin.te
+--- nsaserefpolicy/policy/modules/services/gamin.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/gamin.te 2008-03-06 16:51:35.000000000 -0500
+@@ -0,0 +1,38 @@
++policy_module(gamin,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type gamin_t;
++type gamin_exec_t;
++init_daemon_domain(gamin_t, gamin_exec_t)
++
++########################################
++#
++# gamin local policy
++#
++
++# Init script handling
++domain_use_interactive_fds(gamin_t)
++
++# internal communication is often done using fifo and unix sockets.
++allow gamin_t self:fifo_file rw_file_perms;
++allow gamin_t self:unix_stream_socket create_stream_socket_perms;
++
++files_read_etc_files(gamin_t)
++files_read_etc_runtime_files(gamin_t)
++files_list_all(gamin_t)
++files_getattr_all_files(gamin_t)
++
++fs_list_inotifyfs(gamin_t)
++domain_read_all_domains_state(gamin_t)
++
++libs_use_ld_so(gamin_t)
++libs_use_shared_libs(gamin_t)
++
++miscfiles_read_localization(gamin_t)
++
++role unconfined_r types gamin_t;
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.0.8/policy/modules/services/hal.fc
--- nsaserefpolicy/policy/modules/services/hal.fc 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/hal.fc 2008-01-17 09:03:07.000000000 -0500
@@ -11202,7 +11344,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.0.8/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/mta.te 2008-01-31 11:46:14.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/mta.te 2008-03-06 11:57:46.000000000 -0500
@@ -1,11 +1,13 @@
-policy_module(mta,1.7.1)
@@ -11291,11 +11433,15 @@
logrotate_read_tmp_files(system_mail_t)
')
-@@ -136,11 +158,33 @@
+@@ -136,11 +158,37 @@
')
optional_policy(`
-+ clamav_stream_connect(sendmail_t)
++ clamav_stream_connect(system_mail_t)
++')
++
++optional_policy(`
++ fail2ban_append_log(system_mail_t)
+')
+
+optional_policy(`
@@ -11309,7 +11455,7 @@
-# should break this up among sections:
+init_stream_connect_script(mailserver_delivery)
+init_rw_script_stream_sockets(mailserver_delivery)
-+
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(mailserver_delivery)
+ fs_manage_cifs_files(mailserver_delivery)
@@ -11321,12 +11467,12 @@
+ fs_manage_nfs_files(mailserver_delivery)
+ fs_manage_nfs_symlinks(mailserver_delivery)
+')
-
++
+# should break this up among sections:
optional_policy(`
# why is mail delivered to a directory of type arpwatch_data_t?
arpwatch_search_data(mailserver_delivery)
-@@ -154,3 +198,4 @@
+@@ -154,3 +202,4 @@
cron_read_system_job_tmp_files(mta_user_agent)
')
')
@@ -19088,7 +19234,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.0.8/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/libraries.fc 2008-02-11 16:25:54.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/libraries.fc 2008-03-06 10:59:16.000000000 -0500
@@ -65,11 +65,15 @@
/opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -19166,7 +19312,7 @@
/usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# vmware
-@@ -284,3 +299,16 @@
+@@ -284,3 +299,18 @@
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -19183,6 +19329,8 @@
+/usr/lib64/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libmythavcodec-[^/]+\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/.*/program(/.*)?\.so gen_context(system_u:object_r:lib_t,s0)
++/usr/lib64/.*/program(/.*)?\.so gen_context(system_u:object_r:lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.0.8/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/libraries.te 2008-01-17 09:03:07.000000000 -0500
@@ -21420,14 +21568,13 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.0.8/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.fc 2008-03-04 10:18:00.000000000 -0500
-@@ -7,6 +7,10 @@
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.fc 2008-03-06 11:18:43.000000000 -0500
+@@ -7,6 +7,8 @@
/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-+/usr/lib(64)?/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-
+-
/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/rhythmbox -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.617
retrieving revision 1.618
diff -u -r1.617 -r1.618
--- selinux-policy.spec 4 Mar 2008 22:08:07 -0000 1.617
+++ selinux-policy.spec 6 Mar 2008 21:55:53 -0000 1.618
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 91%{?dist}
+Release: 92%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -381,6 +381,9 @@
%endif
%changelog
+* Thu Mar 4 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-92
+- Fix openoffice policy to allow it to run from firefox on xguest
+
* Tue Mar 4 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-91
- Allow rpc.mountd to write to lvm_control_t chr_file
More information about the fedora-extras-commits
mailing list