rpms/selinux-policy/devel policy-20071130.patch, 1.102, 1.103 selinux-policy.spec, 1.633, 1.634
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Fri Mar 14 15:17:33 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv12021
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Fri Mar 14 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-19
- Allow nsplugin to run acroread
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.102
retrieving revision 1.103
diff -u -r1.102 -r1.103
--- policy-20071130.patch 14 Mar 2008 00:24:59 -0000 1.102
+++ policy-20071130.patch 14 Mar 2008 15:17:23 -0000 1.103
@@ -5079,8 +5079,8 @@
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:user_nsplugin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.3.1/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.if 2008-03-12 08:30:42.000000000 -0400
-@@ -0,0 +1,347 @@
++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.if 2008-03-14 10:52:23.000000000 -0400
+@@ -0,0 +1,350 @@
+
+## <summary>policy for nsplugin</summary>
+
@@ -5246,6 +5246,9 @@
+ dontaudit nsplugin_t $2:tcp_socket rw_socket_perms;
+ dontaudit nsplugin_t $2:udp_socket rw_socket_perms;
+ dontaudit nsplugin_t $2:unix_stream_socket rw_socket_perms;
++ dontaudit nsplugin_config_t $2:tcp_socket rw_socket_perms;
++ dontaudit nsplugin_config_t $2:udp_socket rw_socket_perms;
++ dontaudit nsplugin_config_t $2:unix_stream_socket rw_socket_perms;
+ allow nsplugin_t $2:unix_stream_socket connectto;
+ dontaudit nsplugin_t $2:process ptrace;
+
@@ -5430,8 +5433,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-03-10 14:35:49.000000000 -0400
-@@ -0,0 +1,166 @@
++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-03-14 10:51:39.000000000 -0400
+@@ -0,0 +1,170 @@
+
+policy_module(nsplugin,1.0.0)
+
@@ -5472,7 +5475,10 @@
+# nsplugin local policy
+#
+allow nsplugin_t self:fifo_file rw_file_perms;
-+allow nsplugin_t self:process { ptrace getsched };
++allow nsplugin_t self:process { ptrace getsched signal_perms };
++allow nsplugin_t self:sem create_sem_perms;
++allow nsplugin_t self:shm create_shm_perms;
++allow nsplugin_t self:msgq create_msgq_perms;
+
+tunable_policy(`allow_nsplugin_execmem',`
+ allow nsplugin_t self:process { execstack execmem };
@@ -5517,15 +5523,22 @@
+
+libs_use_ld_so(nsplugin_t)
+libs_use_shared_libs(nsplugin_t)
++libs_exec_ld_so(nsplugin_t)
+
+miscfiles_read_localization(nsplugin_t)
+miscfiles_read_fonts(nsplugin_t)
+miscfiles_manage_home_fonts(nsplugin_t)
+
++manage_dirs_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t)
++manage_files_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t)
++manage_sock_files_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t)
++files_tmp_filetrans(nsplugin_t, nsplugin_tmp_t, { file dir sock_file })
++
+userdom_read_user_home_content_files(user, nsplugin_t)
+userdom_read_user_tmp_files(user, nsplugin_t)
+userdom_write_user_tmp_sockets(user, nsplugin_t)
+userdom_dontaudit_append_unpriv_home_content_files(nsplugin_t)
++userdom_dontaudit_manage_user_tmp_files(user, nsplugin_t)
+
+optional_policy(`
+ alsa_read_rw_config(nsplugin_t)
@@ -5554,17 +5567,11 @@
+
+allow nsplugin_config_t self:capability { sys_nice setuid setgid };
+allow nsplugin_config_t self:process { setsched sigkill getsched execmem };
-+allow nsplugin_t self:sem create_sem_perms;
-+allow nsplugin_t self:shm create_shm_perms;
-+allow nsplugin_t self:msgq create_msgq_perms;
+
+allow nsplugin_config_t self:fifo_file rw_file_perms;
+allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
+
-+manage_dirs_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t)
-+manage_files_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t)
-+manage_sock_files_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t)
-+files_tmp_filetrans(nsplugin_t, nsplugin_tmp_t, { file dir sock_file })
++fs_list_inotifyfs(nsplugin_t)
+
+can_exec(nsplugin_config_t, nsplugin_rw_t)
+manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
@@ -14423,8 +14430,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.te serefpolicy-3.3.1/policy/modules/services/gamin.te
--- nsaserefpolicy/policy/modules/services/gamin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/gamin.te 2008-03-06 13:11:39.000000000 -0500
-@@ -0,0 +1,38 @@
++++ serefpolicy-3.3.1/policy/modules/services/gamin.te 2008-03-14 10:50:28.000000000 -0400
+@@ -0,0 +1,39 @@
+policy_module(gamin,1.0.0)
+
+########################################
@@ -14455,6 +14462,7 @@
+
+fs_list_inotifyfs(gamin_t)
+domain_read_all_domains_state(gamin_t)
++domain_dontaudit_ptrace_all_domains(gamin_t)
+
+libs_use_ld_so(gamin_t)
+libs_use_shared_libs(gamin_t)
@@ -23745,7 +23753,7 @@
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-03-12 13:48:02.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-03-14 11:14:49.000000000 -0400
@@ -12,9 +12,15 @@
## </summary>
## </param>
@@ -24212,7 +24220,7 @@
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
-@@ -542,25 +543,532 @@
+@@ -542,26 +543,538 @@
allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
@@ -24703,6 +24711,7 @@
+ gen_require(`
+ type xdm_t, xdm_tmp_t;
+ type user_xauth_home_t, user_iceauth_home_t, xdm_xserver_t, xdm_xserver_tmpfs_t;
++ class dbus all_dbus_perms;
+ ')
+
+ allow $3 self:shm create_shm_perms;
@@ -24742,6 +24751,9 @@
+ userdom_manage_user_home_content_dirs($1, xdm_t)
+ userdom_manage_user_home_content_files($1, xdm_t)
+ userdom_user_home_dir_filetrans_user_home_content($1, xdm_t, { dir file })
++ allow $3 xdm_t:dbus send_msg;
++ allow xdm_t $3:dbus send_msg;
++
# Client write xserver shm
tunable_policy(`allow_write_xshm',`
- allow $2 $1_xserver_t:shm rw_shm_perms;
@@ -24749,9 +24761,11 @@
+ allow $3 xdm_xserver_t:shm rw_shm_perms;
+ allow $3 xdm_xserver_tmpfs_t:file rw_file_perms;
')
++
')
-@@ -593,26 +1101,44 @@
+ ########################################
+@@ -593,26 +1106,44 @@
#
template(`xserver_use_user_fonts',`
gen_require(`
@@ -24803,7 +24817,7 @@
## Transition to a user Xauthority domain.
## </summary>
## <desc>
-@@ -638,10 +1164,77 @@
+@@ -638,10 +1169,77 @@
#
template(`xserver_domtrans_user_xauth',`
gen_require(`
@@ -24883,7 +24897,7 @@
')
########################################
-@@ -671,10 +1264,10 @@
+@@ -671,10 +1269,10 @@
#
template(`xserver_user_home_dir_filetrans_user_xauth',`
gen_require(`
@@ -24896,7 +24910,7 @@
')
########################################
-@@ -760,7 +1353,7 @@
+@@ -760,7 +1358,7 @@
type xconsole_device_t;
')
@@ -24905,7 +24919,7 @@
')
########################################
-@@ -860,6 +1453,25 @@
+@@ -860,6 +1458,25 @@
########################################
## <summary>
@@ -24931,7 +24945,7 @@
## Read xdm-writable configuration files.
## </summary>
## <param name="domain">
-@@ -914,6 +1526,7 @@
+@@ -914,6 +1531,7 @@
files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@@ -24939,7 +24953,7 @@
')
########################################
-@@ -955,6 +1568,24 @@
+@@ -955,6 +1573,24 @@
########################################
## <summary>
@@ -24964,7 +24978,7 @@
## Execute the X server in the XDM X server domain.
## </summary>
## <param name="domain">
-@@ -965,15 +1596,47 @@
+@@ -965,15 +1601,47 @@
#
interface(`xserver_domtrans_xdm_xserver',`
gen_require(`
@@ -25013,7 +25027,7 @@
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -1123,7 +1786,7 @@
+@@ -1123,7 +1791,7 @@
type xdm_xserver_tmp_t;
')
@@ -25022,7 +25036,7 @@
')
########################################
-@@ -1312,3 +1975,83 @@
+@@ -1312,3 +1980,83 @@
files_search_tmp($1)
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
')
@@ -29977,7 +29991,7 @@
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-15 09:52:56.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-03-13 18:42:23.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-03-14 10:48:11.000000000 -0400
@@ -29,9 +29,14 @@
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.633
retrieving revision 1.634
diff -u -r1.633 -r1.634
--- selinux-policy.spec 14 Mar 2008 00:25:00 -0000 1.633
+++ selinux-policy.spec 14 Mar 2008 15:17:23 -0000 1.634
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 18%{?dist}
+Release: 19%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -388,6 +388,9 @@
%endif
%changelog
+* Fri Mar 14 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-19
+- Allow nsplugin to run acroread
+
* Thu Mar 13 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-18
- Add cups_pdf policy
- Add openoffice policy to run in xguest
More information about the fedora-extras-commits
mailing list