rpms/selinux-policy/F-8 policy-20070703.patch, 1.191, 1.192 selinux-policy.spec, 1.617, 1.618

Thu Mar 6 21:56:00 UTC 2008

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv16234

Modified Files:
	policy-20070703.patch selinux-policy.spec 
Log Message:
* Thu Mar 4 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-92
- Fix openoffice policy to allow it to run from firefox on xguest


policy-20070703.patch:

Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.191
retrieving revision 1.192
diff -u -r1.191 -r1.192

--- policy-20070703.patch	4 Mar 2008 22:08:07 -0000	1.191
+++ policy-20070703.patch	6 Mar 2008 21:55:53 -0000	1.192
@@ -3043,7 +3043,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.0.8/policy/modules/apps/java.fc
 --- nsaserefpolicy/policy/modules/apps/java.fc	2007-10-22 13:21:41.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/java.fc	2008-02-06 09:05:24.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/apps/java.fc	2008-03-06 11:18:15.000000000 -0500
 @@ -11,6 +11,7 @@
  #
  /usr/(.*/)?bin/java.* 	--	gen_context(system_u:object_r:java_exec_t,s0)
@@ -3052,7 +3052,7 @@
  /usr/bin/frysk		--	gen_context(system_u:object_r:java_exec_t,s0)
  /usr/bin/gappletviewer  --	gen_context(system_u:object_r:java_exec_t,s0)
  /usr/bin/gcj-dbtool	--	gen_context(system_u:object_r:java_exec_t,s0)
-@@ -20,5 +21,11 @@
+@@ -20,5 +21,13 @@
  /usr/bin/grmic  	--	gen_context(system_u:object_r:java_exec_t,s0)
  /usr/bin/grmiregistry  	--	gen_context(system_u:object_r:java_exec_t,s0)
  /usr/bin/jv-convert  	--	gen_context(system_u:object_r:java_exec_t,s0)
@@ -3064,11 +3064,13 @@
 +/opt/matlab(/.*)?/bin(/.*)?/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
 +/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
 +
-+/usr/lib(64)?/openoffice\.org/program/soffice\.bin -- gen_context(system_u:object_r:java_exec_t,s0)
++/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:java_exec_t,s0)
++/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:java_exec_t,s0)
++
 +/usr/bin/octave-[^/]*  	--	gen_context(system_u:object_r:java_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.0.8/policy/modules/apps/java.if
 --- nsaserefpolicy/policy/modules/apps/java.if	2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/java.if	2008-01-28 10:57:36.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/apps/java.if	2008-03-06 11:16:06.000000000 -0500
 @@ -32,7 +32,7 @@
  ##	</summary>
  ## </param>
@@ -3095,16 +3097,25 @@
  	allow $1_javaplugin_t $2:unix_stream_socket connectto;
  	allow $1_javaplugin_t $2:unix_stream_socket { read write };
  	userdom_write_user_tmp_sockets($1,$1_javaplugin_t)
-@@ -81,8 +84,7 @@
+@@ -69,6 +72,7 @@
+ 	manage_dirs_pattern($1_javaplugin_t,$1_javaplugin_tmp_t,$1_javaplugin_tmp_t)
+ 	manage_files_pattern($1_javaplugin_t,$1_javaplugin_tmp_t,$1_javaplugin_tmp_t)
+ 	files_tmp_filetrans($1_javaplugin_t,$1_javaplugin_tmp_t,{ file dir })
++	allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute;
+ 
+ 	manage_files_pattern($1_javaplugin_t,$1_javaplugin_tmpfs_t,$1_javaplugin_tmpfs_t)
+ 	manage_lnk_files_pattern($1_javaplugin_t,$1_javaplugin_tmpfs_t,$1_javaplugin_tmpfs_t)
+@@ -81,9 +85,7 @@
  
  	can_exec($1_javaplugin_t, java_exec_t)
  	
 -	# The user role is authorized for this domain.
 -	domain_auto_trans($1_t, java_exec_t, $1_javaplugin_t)
-+	domain_auto_trans($2, java_exec_t, $1_javaplugin_t)
- 	allow $1_javaplugin_t $2:fd use;
+-	allow $1_javaplugin_t $2:fd use;
++	domtrans_pattern($2, java_exec_t, $1_javaplugin_t)
  	# Unrestricted inheritance from the caller.
  	allow $2 $1_javaplugin_t:process { noatsecure siginh rlimitinh };
+ 	allow $1_javaplugin_t $2:process signull;
 @@ -94,7 +96,7 @@
  	kernel_read_system_state($1_javaplugin_t)
  
@@ -3148,7 +3159,16 @@
  	userdom_dontaudit_use_user_terminals($1,$1_javaplugin_t)
  	userdom_dontaudit_setattr_user_home_content_files($1,$1_javaplugin_t)
  	userdom_dontaudit_exec_user_home_content_files($1,$1_javaplugin_t)
-@@ -166,6 +177,62 @@
+@@ -147,8 +158,6 @@
+ 	tunable_policy(`allow_java_execstack',`
+ 		allow $1_javaplugin_t self:process execstack;
+ 
+-		allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute;
+-
+ 		libs_legacy_use_shared_libs($1_javaplugin_t)
+ 		libs_legacy_use_ld_so($1_javaplugin_t)
+ 
+@@ -166,6 +175,62 @@
  	optional_policy(`
  		xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t)
  	')
@@ -3211,7 +3231,7 @@
  ')
  
  ########################################
-@@ -219,3 +286,66 @@
+@@ -219,3 +284,66 @@
  	corecmd_search_bin($1)
  	domtrans_pattern($1, java_exec_t, java_t)
  ')
@@ -4136,7 +4156,7 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc	2008-02-19 09:59:23.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc	2008-03-06 10:57:37.000000000 -0500
 @@ -7,6 +7,7 @@
  /bin/d?ash			--	gen_context(system_u:object_r:shell_exec_t,s0)
  /bin/bash			--	gen_context(system_u:object_r:shell_exec_t,s0)
@@ -4211,7 +4231,15 @@
  
  ifdef(`distro_gentoo', `
  /usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)?	gen_context(system_u:object_r:bin_t,s0)
-@@ -259,3 +270,23 @@
+@@ -188,6 +199,7 @@
+ 
+ ifdef(`distro_redhat', `
+ /usr/lib/.*/program(/.*)?		gen_context(system_u:object_r:bin_t,s0)
++/usr/lib64/.*/program(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/bluetooth(/.*)?	--      gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/vmware-tools/sbin32(/.*)?      gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib64/bluetooth(/.*)?	--      gen_context(system_u:object_r:bin_t,s0)
+@@ -259,3 +271,23 @@
  ifdef(`distro_suse',`
  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
  ')
@@ -5525,7 +5553,7 @@
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.8/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if	2008-02-26 17:48:01.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if	2008-03-06 10:50:53.000000000 -0500
 @@ -271,45 +271,6 @@
  
  ########################################
@@ -5756,7 +5784,15 @@
  interface(`fs_dontaudit_read_ramfs_files',`
  	gen_require(`
  		type ramfs_t;
-@@ -3206,6 +3305,7 @@
+@@ -2885,6 +2984,7 @@
+ 		type tmpfs_t;
+ 	')
+ 
++	dontaudit $1 tmpfs_t:dir rw_dir_perms;
+ 	dontaudit $1 tmpfs_t:file rw_file_perms;
+ ')
+ 
+@@ -3206,6 +3306,7 @@
  	')
  
  	allow $1 filesystem_type:filesystem getattr;
@@ -5764,7 +5800,7 @@
  ')
  
  ########################################
-@@ -3322,6 +3422,24 @@
+@@ -3322,6 +3423,24 @@
  
  ########################################
  ## <summary>
@@ -5789,7 +5825,7 @@
  ##	List all directories with a filesystem type.
  ## </summary>
  ## <param name="domain">
-@@ -3533,3 +3651,62 @@
+@@ -3533,3 +3652,62 @@
  	relabelfrom_blk_files_pattern($1,noxattrfs,noxattrfs)
  	relabelfrom_chr_files_pattern($1,noxattrfs,noxattrfs)
  ')
@@ -10140,7 +10176,7 @@
 +/var/run/fail2ban\.sock	-s	gen_context(system_u:object_r:fail2ban_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.0.8/policy/modules/services/fail2ban.te
 --- nsaserefpolicy/policy/modules/services/fail2ban.te	2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/fail2ban.te	2008-03-04 16:29:48.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/fail2ban.te	2008-03-06 16:54:33.000000000 -0500
 @@ -1,5 +1,5 @@
  
 -policy_module(fail2ban,1.0.0)
@@ -10159,7 +10195,7 @@
  
  kernel_read_system_state(fail2ban_t)
  
-@@ -47,14 +48,20 @@
+@@ -47,14 +48,23 @@
  
  files_read_etc_files(fail2ban_t)
  files_read_usr_files(fail2ban_t)
@@ -10167,6 +10203,9 @@
 +files_search_var_lib(fail2ban_t)
 +
 +fs_list_inotifyfs(fail2ban_t)
++
++auth_use_nsswitch(fail2ban_t)
++corenet_tcp_connect_whois_port(fail2ban_t)
  
  libs_use_ld_so(fail2ban_t)
  libs_use_shared_libs(fail2ban_t)
@@ -10181,6 +10220,18 @@
  optional_policy(`
  	apache_read_log(fail2ban_t)
  ')
+@@ -64,5 +74,11 @@
+ ')
+ 
+ optional_policy(`
++	gamin_domtrans(fail2ban_t)
++	gamin_stream_connect(fail2ban_t)
++')
++
++optional_policy(`
+ 	iptables_domtrans(fail2ban_t)
+ ')
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.0.8/policy/modules/services/fetchmail.te
 --- nsaserefpolicy/policy/modules/services/fetchmail.te	2007-10-22 13:21:39.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/services/fetchmail.te	2008-01-17 09:03:07.000000000 -0500
@@ -10289,6 +10340,97 @@
  ')
  
  optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.fc serefpolicy-3.0.8/policy/modules/services/gamin.fc
+--- nsaserefpolicy/policy/modules/services/gamin.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/gamin.fc	2008-03-06 16:51:35.000000000 -0500
+@@ -0,0 +1,2 @@
++
++/usr/libexec/gam_server	--	gen_context(system_u:object_r:gamin_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.if serefpolicy-3.0.8/policy/modules/services/gamin.if
+--- nsaserefpolicy/policy/modules/services/gamin.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/gamin.if	2008-03-06 16:51:35.000000000 -0500
+@@ -0,0 +1,39 @@
++
++## <summary>policy for gamin</summary>
++
++########################################
++## <summary>
++##	Execute a domain transition to run gamin.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`gamin_domtrans',`
++	gen_require(`
++		type gamin_t;
++                type gamin_exec_t;
++	')
++
++	domtrans_pattern($1,gamin_exec_t,gamin_t)
++')
++
++########################################
++## <summary>
++##	Connect to gamin over an unix stream socket.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`gamin_stream_connect',`
++	gen_require(`
++		type gamin_t;
++	')
++
++	allow $1 gamin_t:unix_stream_socket connectto;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.te serefpolicy-3.0.8/policy/modules/services/gamin.te
+--- nsaserefpolicy/policy/modules/services/gamin.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/gamin.te	2008-03-06 16:51:35.000000000 -0500
+@@ -0,0 +1,38 @@
++policy_module(gamin,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type gamin_t;
++type gamin_exec_t;
++init_daemon_domain(gamin_t, gamin_exec_t)
++
++########################################
++#
++# gamin local policy
++#
++
++# Init script handling
++domain_use_interactive_fds(gamin_t)
++
++# internal communication is often done using fifo and unix sockets.
++allow gamin_t self:fifo_file rw_file_perms;
++allow gamin_t self:unix_stream_socket create_stream_socket_perms;
++
++files_read_etc_files(gamin_t)
++files_read_etc_runtime_files(gamin_t)
++files_list_all(gamin_t)
++files_getattr_all_files(gamin_t)
++
++fs_list_inotifyfs(gamin_t)
++domain_read_all_domains_state(gamin_t)
++
++libs_use_ld_so(gamin_t)
++libs_use_shared_libs(gamin_t)
++
++miscfiles_read_localization(gamin_t)
++
++role unconfined_r types gamin_t;
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.0.8/policy/modules/services/hal.fc
 --- nsaserefpolicy/policy/modules/services/hal.fc	2007-10-22 13:21:39.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/services/hal.fc	2008-01-17 09:03:07.000000000 -0500
@@ -11202,7 +11344,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.0.8/policy/modules/services/mta.te
 --- nsaserefpolicy/policy/modules/services/mta.te	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/mta.te	2008-01-31 11:46:14.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/mta.te	2008-03-06 11:57:46.000000000 -0500
 @@ -1,11 +1,13 @@
  
 -policy_module(mta,1.7.1)
@@ -11291,11 +11433,15 @@
  	logrotate_read_tmp_files(system_mail_t)
  ')
  
-@@ -136,11 +158,33 @@
+@@ -136,11 +158,37 @@
  ')
  
  optional_policy(`
-+	clamav_stream_connect(sendmail_t)
++	clamav_stream_connect(system_mail_t)
++')
++
++optional_policy(`
++	fail2ban_append_log(system_mail_t)
 +')
 +
 +optional_policy(`
@@ -11309,7 +11455,7 @@
 -# should break this up among sections:
 +init_stream_connect_script(mailserver_delivery)
 +init_rw_script_stream_sockets(mailserver_delivery)
-+
+ 
 +tunable_policy(`use_samba_home_dirs',`
 +	fs_manage_cifs_dirs(mailserver_delivery)
 +	fs_manage_cifs_files(mailserver_delivery)
@@ -11321,12 +11467,12 @@
 +	fs_manage_nfs_files(mailserver_delivery)
 +	fs_manage_nfs_symlinks(mailserver_delivery)
 +')
- 
++
 +# should break this up among sections:
  optional_policy(`
  	# why is mail delivered to a directory of type arpwatch_data_t?
  	arpwatch_search_data(mailserver_delivery)
-@@ -154,3 +198,4 @@
+@@ -154,3 +202,4 @@
  		cron_read_system_job_tmp_files(mta_user_agent)
  	')
  ')
@@ -19088,7 +19234,7 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.0.8/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/libraries.fc	2008-02-11 16:25:54.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/libraries.fc	2008-03-06 10:59:16.000000000 -0500
 @@ -65,11 +65,15 @@
  /opt/(.*/)?java/.+\.jar			--	gen_context(system_u:object_r:lib_t,s0)
  /opt/(.*/)?jre.*/.+\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -19166,7 +19312,7 @@
  /usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  
  # vmware 
-@@ -284,3 +299,16 @@
+@@ -284,3 +299,18 @@
  /var/spool/postfix/lib(64)?(/.*)? 		gen_context(system_u:object_r:lib_t,s0)
  /var/spool/postfix/usr(/.*)?			gen_context(system_u:object_r:lib_t,s0)
  /var/spool/postfix/lib(64)?/ld.*\.so.*	--	gen_context(system_u:object_r:ld_so_t,s0)
@@ -19183,6 +19329,8 @@
 +/usr/lib64/libswscale\.so.*				 --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib(64)?/libavdevice\.so.*	 --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib(64)?/libmythavcodec-[^/]+\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/.*/program(/.*)?\.so		gen_context(system_u:object_r:lib_t,s0)
++/usr/lib64/.*/program(/.*)?\.so		gen_context(system_u:object_r:lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.0.8/policy/modules/system/libraries.te
 --- nsaserefpolicy/policy/modules/system/libraries.te	2007-10-22 13:21:39.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/system/libraries.te	2008-01-17 09:03:07.000000000 -0500
@@ -21420,14 +21568,13 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.0.8/policy/modules/system/unconfined.fc
 --- nsaserefpolicy/policy/modules/system/unconfined.fc	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.fc	2008-03-04 10:18:00.000000000 -0500
-@@ -7,6 +7,10 @@
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.fc	2008-03-06 11:18:43.000000000 -0500
+@@ -7,6 +7,8 @@
  /usr/bin/vncserver		--	gen_context(system_u:object_r:unconfined_exec_t,s0)
  
  /usr/lib/ia32el/ia32x_loader 	--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 -/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-+/usr/lib(64)?/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
- 
+-
  /usr/local/RealPlayer/realplay\.bin --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 +/usr/bin/rhythmbox		    --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 +/usr/bin/sbcl			    --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.617
retrieving revision 1.618
diff -u -r1.617 -r1.618
--- selinux-policy.spec	4 Mar 2008 22:08:07 -0000	1.617
+++ selinux-policy.spec	6 Mar 2008 21:55:53 -0000	1.618
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.8
-Release: 91%{?dist}
+Release: 92%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -381,6 +381,9 @@
 %endif
 
 %changelog
+* Thu Mar 4 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-92
+- Fix openoffice policy to allow it to run from firefox on xguest
+
 * Tue Mar 4 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-91
 - Allow rpc.mountd to write to lvm_control_t chr_file
 


