rpms/selinux-policy/devel policy-20090105.patch, 1.34, 1.35 selinux-policy.spec, 1.784, 1.785
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Feb 6 17:49:00 UTC 2009
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv27783
Modified Files:
policy-20090105.patch selinux-policy.spec
Log Message:
* Thu Feb 5 2009 Dan Walsh <dwalsh at redhat.com> 3.6.4-4
- Fix staff_t domain
policy-20090105.patch:
Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20090105.patch,v
retrieving revision 1.34
retrieving revision 1.35
diff -u -r1.34 -r1.35
--- policy-20090105.patch 5 Feb 2009 13:44:44 -0000 1.34
+++ policy-20090105.patch 6 Feb 2009 17:48:28 -0000 1.35
@@ -712,8 +712,16 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.4/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2008-08-07 11:15:13.000000000 -0400
-+++ serefpolicy-3.6.4/policy/modules/admin/rpm.fc 2009-02-03 22:57:29.000000000 -0500
-@@ -11,7 +11,8 @@
++++ serefpolicy-3.6.4/policy/modules/admin/rpm.fc 2009-02-05 13:41:50.000000000 -0500
+@@ -3,6 +3,7 @@
+ /usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+ /usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+ /usr/lib(64)?/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
+@@ -11,7 +12,8 @@
/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -723,7 +731,7 @@
/usr/share/yumex/yumex -- gen_context(system_u:object_r:rpm_exec_t,s0)
ifdef(`distro_redhat', `
-@@ -21,14 +22,17 @@
+@@ -21,14 +23,17 @@
/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -1706,7 +1714,7 @@
+#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.4/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2008-11-11 16:13:41.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/apps/gnome.if 2009-02-03 22:57:29.000000000 -0500
++++ serefpolicy-3.6.4/policy/modules/apps/gnome.if 2009-02-05 15:12:13.000000000 -0500
@@ -89,5 +89,154 @@
allow $1 gnome_home_t:dir manage_dir_perms;
@@ -6204,7 +6212,7 @@
#
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.4/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/kernel/kernel.if 2009-02-03 22:57:29.000000000 -0500
++++ serefpolicy-3.6.4/policy/modules/kernel/kernel.if 2009-02-06 11:11:26.000000000 -0500
@@ -1197,6 +1197,26 @@
')
@@ -6331,6 +6339,13 @@
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.4/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2009-02-03 22:50:50.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/kernel/kernel.te 2009-02-03 22:57:29.000000000 -0500
+@@ -1,5 +1,5 @@
+
+-policy_module(kernel, 1.10.3)
++policy_module(kernel, 1.10.2)
+
+ ########################################
+ #
@@ -63,6 +63,15 @@
genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
@@ -6375,6 +6390,18 @@
allow kernel_t proc_t:dir list_dir_perms;
allow kernel_t proc_t:file read_file_perms;
allow kernel_t proc_t:lnk_file read_lnk_file_perms;
+@@ -221,10 +237,8 @@
+ # connections with invalidated labels:
+ allow kernel_t unlabeled_t:packet send;
+
+-# Allow unlabeled network traffic
++# Forwarded network traffic
+ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
+-corenet_in_generic_if(unlabeled_t)
+-corenet_in_generic_node(unlabeled_t)
+
+ corenet_all_recvfrom_unlabeled(kernel_t)
+ corenet_all_recvfrom_netlabel(kernel_t)
@@ -248,7 +262,8 @@
selinux_load_policy(kernel_t)
@@ -7047,16 +7074,8 @@
-')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.4/policy/modules/roles/staff.te
--- nsaserefpolicy/policy/modules/roles/staff.te 2008-11-11 16:13:47.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/roles/staff.te 2009-02-03 22:57:29.000000000 -0500
-@@ -8,112 +8,32 @@
-
- role staff_r;
-
--userdom_unpriv_user_template(staff)
-+userdom_admin_login_user_template(staff)
-
- ########################################
- #
++++ serefpolicy-3.6.4/policy/modules/roles/staff.te 2009-02-05 13:52:52.000000000 -0500
+@@ -15,156 +15,87 @@
# Local policy
#
@@ -7119,111 +7138,130 @@
-optional_policy(`
- java_role(staff_r, staff_t)
-')
--
++kernel_read_ring_buffer(staff_t)
++kernel_getattr_core_if(staff_t)
++kernel_getattr_message_if(staff_t)
++kernel_read_software_raid_state(staff_t)
+
-optional_policy(`
- lockdev_role(staff_r, staff_t)
-')
--
++auth_domtrans_pam_console(staff_t)
+
-optional_policy(`
- lpd_role(staff_r, staff_t)
-')
--
++libs_manage_shared_libs(staff_t)
+
-optional_policy(`
- mozilla_role(staff_r, staff_t)
-')
-+kernel_read_ring_buffer(staff_t)
-+kernel_getattr_core_if(staff_t)
-+kernel_getattr_message_if(staff_t)
-+kernel_read_software_raid_state(staff_t)
++seutil_run_newrole(staff_t, staff_r)
--optional_policy(`
+ optional_policy(`
- mplayer_role(staff_r, staff_t)
--')
-+auth_domtrans_pam_console(staff_t)
++ sudo_role_template(staff, staff_r, staff_t)
+ ')
--optional_policy(`
+ optional_policy(`
- mta_role(staff_r, staff_t)
--')
-+libs_manage_shared_libs(staff_t)
++ auditadm_role_change(staff_r)
+ ')
optional_policy(`
- oident_manage_user_content(staff_t)
- oident_relabel_user_content(staff_t)
--')
--
--optional_policy(`
++ kerneloops_manage_tmp_files(staff_t)
+ ')
+
+ optional_policy(`
- pyzor_role(staff_r, staff_t)
--')
--
--optional_policy(`
++ logadm_role_change(staff_r)
+ ')
+
+ optional_policy(`
- razor_role(staff_r, staff_t)
-+ auditadm_role_change(staff_r)
++ secadm_role_change(staff_r)
')
optional_policy(`
- rssh_role(staff_r, staff_t)
-+ kerneloops_manage_tmp_files(staff_t)
++ ssh_role_template(staff, staff_r, staff_t)
')
optional_policy(`
- screen_role_template(staff, staff_r, staff_t)
-+ logadm_role_change(staff_r)
++ sysadm_role_change(staff_r)
')
optional_policy(`
-@@ -121,50 +41,21 @@
+- secadm_role_change(staff_r)
++ usernetctl_run(staff_t, staff_r)
')
optional_policy(`
- spamassassin_role(staff_r, staff_t)
--')
--
--optional_policy(`
- ssh_role_template(staff, staff_r, staff_t)
++ unconfined_role_change(staff_r)
')
optional_policy(`
+- ssh_role_template(staff, staff_r, staff_t)
++ webadm_role_change(staff_r)
+ ')
+
+-optional_policy(`
- su_role_template(staff, staff_r, staff_t)
-')
--
++domain_read_all_domains_state(staff_t)
++domain_getattr_all_domains(staff_t)
++domain_obj_id_change_exemption(staff_t)
+
-optional_policy(`
- sudo_role_template(staff, staff_r, staff_t)
-')
--
++files_read_kernel_modules(staff_t)
+
-optional_policy(`
- sysadm_role_change(staff_r)
+- sysadm_role_change(staff_r)
- userdom_dontaudit_use_user_terminals(staff_t)
-')
--
++kernel_read_fs_sysctls(staff_t)
+
-optional_policy(`
- thunderbird_role(staff_r, staff_t)
-')
--
++modutils_read_module_config(staff_t)
++modutils_read_module_deps(staff_t)
+
-optional_policy(`
- tvtime_role(staff_r, staff_t)
-')
--
--optional_policy(`
++miscfiles_read_hwdata(staff_t)
+
+ optional_policy(`
- uml_role(staff_r, staff_t)
--')
--
--optional_policy(`
++ gnomeclock_dbus_chat(staff_t)
+ ')
+
+ optional_policy(`
- userhelper_role_template(staff, staff_r, staff_t)
++ kerneloops_dbus_chat(staff_t)
')
optional_policy(`
- vmware_role(staff_r, staff_t)
-+ usernetctl_run(staff_t, staff_r)
++ rpm_dbus_chat(staff_usertype)
')
optional_policy(`
- wireshark_role(staff_r, staff_t)
-+ unconfined_role_change(staff_r)
++ setroubleshoot_stream_connect(staff_t)
++ setroubleshoot_dbus_chat(staff_t)
')
optional_policy(`
- xserver_role(staff_r, staff_t)
-+ webadm_role_change(staff_r)
++ virt_stream_connect(staff_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.6.4/policy/modules/roles/sysadm.if
--- nsaserefpolicy/policy/modules/roles/sysadm.if 2009-01-19 11:07:34.000000000 -0500
@@ -7561,7 +7599,7 @@
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.4/policy/modules/roles/unprivuser.te
--- nsaserefpolicy/policy/modules/roles/unprivuser.te 2008-11-11 16:13:47.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/roles/unprivuser.te 2009-02-03 22:57:29.000000000 -0500
++++ serefpolicy-3.6.4/policy/modules/roles/unprivuser.te 2009-02-05 10:45:18.000000000 -0500
@@ -14,142 +14,13 @@
userdom_unpriv_user_template(user)
@@ -12263,8 +12301,8 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.4/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/services/devicekit.te 2009-02-04 08:40:38.000000000 -0500
-@@ -0,0 +1,125 @@
++++ serefpolicy-3.6.4/policy/modules/services/devicekit.te 2009-02-06 11:17:45.000000000 -0500
+@@ -0,0 +1,131 @@
+policy_module(devicekit,1.0.0)
+
+########################################
@@ -12309,6 +12347,10 @@
+ dbus_system_bus_client(devicekit_t)
+')
+
++optional_policy(`
++ udev_read_db(devicekit_t)
++')
++
+#
+# DeviceKit-Power local policy
+#
@@ -12324,7 +12366,9 @@
+domain_read_all_domains_state(devicekit_power_t)
+
+kernel_read_system_state(devicekit_power_t)
++kernel_rw_kernel_sysctl(devicekit_power_t)
+kernel_rw_hotplug_sysctls(devicekit_power_t)
++kernel_write_proc_files(devicekit_power_t)
+
+dev_rw_generic_usb_dev(devicekit_power_t)
+dev_rw_netcontrol(devicekit_power_t)
@@ -12419,6 +12463,14 @@
## All of the rules required to administrate
## an dhcp environment
## </summary>
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.6.4/policy/modules/services/dnsmasq.fc
+--- nsaserefpolicy/policy/modules/services/dnsmasq.fc 2008-11-18 18:57:20.000000000 -0500
++++ serefpolicy-3.6.4/policy/modules/services/dnsmasq.fc 2009-02-06 11:38:55.000000000 -0500
+@@ -5,3 +5,4 @@
+ /var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
+ /var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0)
+ /var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
++/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.6.4/policy/modules/services/dnsmasq.if
--- nsaserefpolicy/policy/modules/services/dnsmasq.if 2008-11-18 18:57:21.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/services/dnsmasq.if 2009-02-03 22:57:29.000000000 -0500
@@ -12522,7 +12574,7 @@
## </summary>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.4/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/services/dnsmasq.te 2009-02-03 22:57:29.000000000 -0500
++++ serefpolicy-3.6.4/policy/modules/services/dnsmasq.te 2009-02-06 11:39:09.000000000 -0500
@@ -69,21 +69,22 @@
# allow access to dnsmasq.conf
@@ -12705,7 +12757,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.4/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/services/dovecot.te 2009-02-03 22:57:29.000000000 -0500
++++ serefpolicy-3.6.4/policy/modules/services/dovecot.te 2009-02-06 11:32:01.000000000 -0500
@@ -15,12 +15,21 @@
domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
role system_r types dovecot_auth_t;
@@ -12795,12 +12847,13 @@
-allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
+allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
- allow dovecot_auth_t dovecot_passwd_t:file read_file_perms;
-
+-allow dovecot_auth_t dovecot_passwd_t:file read_file_perms;
++read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
++
+manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
+manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
+files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
-+
+
# Allow dovecot to create and read SSL parameters file
manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t)
files_search_var_lib(dovecot_t)
@@ -22173,8 +22226,18 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.4/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/services/ssh.te 2009-02-03 22:57:29.000000000 -0500
-@@ -75,7 +75,7 @@
++++ serefpolicy-3.6.4/policy/modules/services/ssh.te 2009-02-06 12:43:43.000000000 -0500
+@@ -41,6 +41,9 @@
+ files_tmp_file(sshd_tmp_t)
+ files_poly_parent(sshd_tmp_t)
+
++type sshd_tmpfs_t;
++files_tmpfs_file(sshd_tmpfs_t)
++
+ ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(sshd_t,sshd_exec_t,s0 - mcs_systemhigh)
+ ')
+@@ -75,7 +78,7 @@
ubac_constrained(ssh_tmpfs_t)
type home_ssh_t;
@@ -22183,7 +22246,7 @@
typealias home_ssh_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
files_type(home_ssh_t)
userdom_user_home_content(home_ssh_t)
-@@ -95,7 +95,7 @@
+@@ -95,7 +98,7 @@
allow ssh_t self:sem create_sem_perms;
allow ssh_t self:msgq create_msgq_perms;
allow ssh_t self:msg { send receive };
@@ -22192,7 +22255,7 @@
allow ssh_t self:netlink_route_socket r_netlink_socket_perms;
# Read the ssh key file.
-@@ -115,6 +115,7 @@
+@@ -115,6 +118,7 @@
manage_dirs_pattern(ssh_t,home_ssh_t,home_ssh_t)
manage_sock_files_pattern(ssh_t,home_ssh_t,home_ssh_t)
userdom_user_home_dir_filetrans(ssh_t, home_ssh_t, { dir sock_file })
@@ -22200,7 +22263,7 @@
# Allow the ssh program to communicate with ssh-agent.
stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
-@@ -139,6 +140,8 @@
+@@ -139,6 +143,8 @@
corenet_tcp_sendrecv_all_ports(ssh_t)
corenet_tcp_connect_ssh_port(ssh_t)
corenet_sendrecv_ssh_client_packets(ssh_t)
@@ -22209,7 +22272,7 @@
dev_read_urand(ssh_t)
-@@ -173,6 +176,7 @@
+@@ -173,6 +179,7 @@
userdom_use_user_terminals(ssh_t)
# needs to read krb tgt
userdom_read_user_tmp_files(ssh_t)
@@ -22217,7 +22280,7 @@
tunable_policy(`allow_ssh_keysign',`
domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
-@@ -202,6 +206,7 @@
+@@ -202,6 +209,7 @@
# for port forwarding
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_ssh_port(ssh_t)
@@ -22225,7 +22288,7 @@
')
optional_policy(`
-@@ -310,6 +315,8 @@
+@@ -310,6 +318,8 @@
kernel_search_key(sshd_t)
kernel_link_key(sshd_t)
@@ -22234,7 +22297,7 @@
term_use_all_user_ptys(sshd_t)
term_setattr_all_user_ptys(sshd_t)
term_relabelto_all_user_ptys(sshd_t)
-@@ -318,6 +325,10 @@
+@@ -318,6 +328,13 @@
corenet_tcp_bind_xserver_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t)
@@ -22242,10 +22305,13 @@
+userdom_read_user_home_content_symlinks(sshd_t)
+userdom_search_admin_dir(sshd_t)
+
++manage_files_pattern(sshd_t, sshd_tmpfs_t, sshd_tmpfs_t)
++fs_tmpfs_filetrans(sshd_t, sshd_tmpfs_t, file)
++
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to
-@@ -331,6 +342,14 @@
+@@ -331,6 +348,14 @@
')
optional_policy(`
@@ -22260,7 +22326,7 @@
daemontools_service_domain(sshd_t, sshd_exec_t)
')
-@@ -349,7 +368,11 @@
+@@ -349,7 +374,11 @@
')
optional_policy(`
@@ -22273,7 +22339,7 @@
unconfined_shell_domtrans(sshd_t)
')
-@@ -408,6 +431,8 @@
+@@ -408,6 +437,8 @@
init_use_fds(ssh_keygen_t)
init_use_script_ptys(ssh_keygen_t)
@@ -22606,8 +22672,31 @@
+HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.4/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/services/virt.if 2009-02-03 22:57:29.000000000 -0500
-@@ -293,6 +293,41 @@
++++ serefpolicy-3.6.4/policy/modules/services/virt.if 2009-02-06 11:23:27.000000000 -0500
+@@ -117,12 +117,12 @@
+ ')
+
+ files_search_pids($1)
+- allow $1 virt_var_run_t:file read_file_perms;
++ read_files_pattern($1, virt_var_run_t, virt_var_run_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Manage virt pid files.
++## Manage virt PID files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -135,6 +135,7 @@
+ type virt_var_run_t;
+ ')
+
++ files_search_pids($1)
+ manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
+ ')
+
+@@ -293,6 +294,41 @@
########################################
## <summary>
@@ -23458,7 +23547,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.4/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/services/xserver.te 2009-02-04 11:20:11.000000000 -0500
++++ serefpolicy-3.6.4/policy/modules/services/xserver.te 2009-02-05 18:20:04.000000000 -0500
@@ -34,6 +34,13 @@
## <desc>
@@ -23810,7 +23899,15 @@
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -504,10 +569,12 @@
+@@ -472,6 +537,7 @@
+ # Search /proc for any user domain processes.
+ userdom_read_all_users_state(xdm_t)
+ userdom_signal_all_users(xdm_t)
++userdom_write_user_tmp_files(xdm_t)
+
+ xserver_rw_session(xdm_t,xdm_tmpfs_t)
+ xserver_unconfined(xdm_t)
+@@ -504,10 +570,12 @@
optional_policy(`
alsa_domtrans(xdm_t)
@@ -23823,7 +23920,7 @@
')
optional_policy(`
-@@ -515,12 +582,41 @@
+@@ -515,12 +583,41 @@
')
optional_policy(`
@@ -23865,7 +23962,7 @@
hostname_exec(xdm_t)
')
-@@ -542,6 +638,19 @@
+@@ -542,6 +639,19 @@
')
optional_policy(`
@@ -23885,7 +23982,7 @@
seutil_sigchld_newrole(xdm_t)
')
-@@ -550,8 +659,9 @@
+@@ -550,8 +660,9 @@
')
optional_policy(`
@@ -23897,7 +23994,7 @@
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -560,7 +670,6 @@
+@@ -560,7 +671,6 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -23905,7 +24002,7 @@
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -571,6 +680,10 @@
+@@ -571,6 +681,10 @@
')
optional_policy(`
@@ -23916,7 +24013,7 @@
xfs_stream_connect(xdm_t)
')
-@@ -587,7 +700,7 @@
+@@ -587,7 +701,7 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -23925,7 +24022,7 @@
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:memprotect mmap_zero;
-@@ -602,9 +715,11 @@
+@@ -602,9 +716,11 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -23937,7 +24034,7 @@
allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
-@@ -622,7 +737,7 @@
+@@ -622,7 +738,7 @@
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
@@ -23946,7 +24043,7 @@
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -635,9 +750,19 @@
+@@ -635,9 +751,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -23966,7 +24063,7 @@
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -680,9 +805,14 @@
+@@ -680,9 +806,14 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -23981,7 +24078,7 @@
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -697,8 +827,13 @@
+@@ -697,8 +828,13 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -23995,7 +24092,7 @@
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -720,6 +855,7 @@
+@@ -720,6 +856,7 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -24003,7 +24100,7 @@
modutils_domtrans_insmod(xserver_t)
-@@ -742,7 +878,7 @@
+@@ -742,7 +879,7 @@
')
ifdef(`enable_mls',`
@@ -24012,7 +24109,7 @@
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
')
-@@ -774,6 +910,10 @@
+@@ -774,6 +911,10 @@
')
optional_policy(`
@@ -24023,7 +24120,7 @@
rhgb_getpgid(xserver_t)
rhgb_signal(xserver_t)
')
-@@ -806,7 +946,7 @@
+@@ -806,7 +947,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -24032,7 +24129,7 @@
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -827,9 +967,14 @@
+@@ -827,9 +968,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -24047,7 +24144,7 @@
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -844,11 +989,14 @@
+@@ -844,11 +990,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -24063,7 +24160,7 @@
')
optional_policy(`
-@@ -856,6 +1004,11 @@
+@@ -856,6 +1005,11 @@
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -24075,7 +24172,7 @@
########################################
#
# Rules common to all X window domains
-@@ -881,6 +1034,8 @@
+@@ -881,6 +1035,8 @@
# X Server
# can read server-owned resources
allow x_domain xserver_t:x_resource read;
@@ -24084,7 +24181,7 @@
# can mess with own clients
allow x_domain self:x_client { manage destroy };
-@@ -905,6 +1060,8 @@
+@@ -905,6 +1061,8 @@
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -24093,7 +24190,7 @@
# X Colormaps
# can use the default colormap
allow x_domain rootwindow_t:x_colormap { read use add_color };
-@@ -972,17 +1129,51 @@
+@@ -972,17 +1130,51 @@
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -28524,7 +28621,7 @@
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.4/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/system/userdomain.if 2009-02-04 10:39:52.000000000 -0500
++++ serefpolicy-3.6.4/policy/modules/system/userdomain.if 2009-02-05 18:26:44.000000000 -0500
@@ -30,8 +30,9 @@
')
@@ -29435,7 +29532,7 @@
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -899,28 +953,28 @@
+@@ -899,28 +953,29 @@
selinux_get_enforce_mode($1_t)
optional_policy(`
@@ -29447,12 +29544,13 @@
- dbus_role_template($1, $1_r, $1_t)
- dbus_system_bus_client($1_t)
+ apache_role($1_r, $1_usertype)
-+ ')
++ ')
optional_policy(`
- consolekit_dbus_chat($1_t)
+ gnome_manage_config($1_usertype)
+ gnome_manage_gconf_home_files($1_usertype)
++ gnome_read_gconf_config($1_usertype)
')
optional_policy(`
@@ -29472,7 +29570,7 @@
')
')
-@@ -931,8 +985,7 @@
+@@ -931,8 +986,7 @@
## </summary>
## <desc>
## <p>
@@ -29482,7 +29580,7 @@
## </p>
## <p>
## This template creates a user domain, types, and
-@@ -954,8 +1007,8 @@
+@@ -954,8 +1008,8 @@
# Declarations
#
@@ -29492,7 +29590,7 @@
userdom_common_user_template($1)
##############################
-@@ -964,11 +1017,12 @@
+@@ -964,11 +1018,12 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -29507,7 +29605,7 @@
# cjp: why?
files_read_kernel_symbol_table($1_t)
-@@ -986,37 +1040,47 @@
+@@ -986,37 +1041,47 @@
')
')
@@ -29568,7 +29666,7 @@
')
#######################################
-@@ -1050,7 +1114,7 @@
+@@ -1050,7 +1115,7 @@
#
template(`userdom_admin_user_template',`
gen_require(`
@@ -29577,7 +29675,7 @@
')
##############################
-@@ -1059,8 +1123,7 @@
+@@ -1059,8 +1124,7 @@
#
# Inherit rules for ordinary users.
@@ -29587,7 +29685,7 @@
domain_obj_id_change_exemption($1_t)
role system_r types $1_t;
-@@ -1083,7 +1146,8 @@
+@@ -1083,7 +1147,8 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -29597,7 +29695,7 @@
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1099,6 +1163,7 @@
+@@ -1099,6 +1164,7 @@
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -29605,7 +29703,7 @@
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1106,8 +1171,6 @@
+@@ -1106,8 +1172,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -29614,7 +29712,7 @@
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1162,20 +1225,6 @@
+@@ -1162,20 +1226,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -29635,7 +29733,7 @@
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1221,6 +1270,7 @@
+@@ -1221,6 +1271,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -29643,7 +29741,7 @@
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1286,11 +1336,15 @@
+@@ -1286,11 +1337,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -29659,7 +29757,7 @@
')
########################################
-@@ -1387,7 +1441,7 @@
+@@ -1387,7 +1442,7 @@
########################################
## <summary>
@@ -29668,7 +29766,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -1420,6 +1474,14 @@
+@@ -1420,6 +1475,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -29683,7 +29781,7 @@
')
########################################
-@@ -1435,9 +1497,11 @@
+@@ -1435,9 +1498,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -29695,7 +29793,7 @@
')
########################################
-@@ -1494,6 +1558,25 @@
+@@ -1494,6 +1559,25 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -29721,7 +29819,7 @@
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1547,9 +1630,9 @@
+@@ -1547,9 +1631,9 @@
type user_home_dir_t, user_home_t;
')
@@ -29733,7 +29831,7 @@
')
########################################
-@@ -1568,6 +1651,8 @@
+@@ -1568,6 +1652,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -29742,7 +29840,7 @@
')
########################################
-@@ -1643,6 +1728,7 @@
+@@ -1643,6 +1729,7 @@
type user_home_dir_t, user_home_t;
')
@@ -29750,7 +29848,7 @@
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
-@@ -1741,6 +1827,62 @@
+@@ -1741,6 +1828,62 @@
########################################
## <summary>
@@ -29813,7 +29911,7 @@
## Execute user home files.
## </summary>
## <param name="domain">
-@@ -1757,14 +1899,6 @@
+@@ -1757,14 +1900,6 @@
files_search_home($1)
exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
@@ -29828,7 +29926,7 @@
')
########################################
-@@ -1787,6 +1921,46 @@
+@@ -1787,6 +1922,46 @@
########################################
## <summary>
@@ -29875,7 +29973,7 @@
## Create, read, write, and delete files
## in a user home subdirectory.
## </summary>
-@@ -1799,6 +1973,7 @@
+@@ -1799,6 +1974,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -29883,7 +29981,7 @@
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -1921,7 +2096,7 @@
+@@ -1921,7 +2097,7 @@
########################################
## <summary>
@@ -29892,7 +29990,7 @@
## with an automatic type transition to
## a specified private type.
## </summary>
-@@ -1941,28 +2116,58 @@
+@@ -1941,28 +2117,58 @@
## </summary>
## </param>
#
@@ -29958,11 +30056,17 @@
## <summary>
## The class of the object to be created.
## </summary>
-@@ -2819,6 +3024,24 @@
+@@ -2814,7 +3020,43 @@
+ type user_tmp_t;
+ ')
- ########################################
- ## <summary>
-+## Delete all users files in /tmp
+- allow $1 user_tmp_t:file write_file_perms;
++ write_files_pattern($1, user_tmp_t, user_tmp_t)
++')
++
++########################################
++## <summary>
++## Write all users files in /tmp
+## </summary>
+## <param name="domain">
+## <summary>
@@ -29970,20 +30074,34 @@
+## </summary>
+## </param>
+#
-+interface(`userdom_delete_user_tmp_files',`
++interface(`userdom_write_user_tmp_dirs',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
-+ allow $1 user_tmp_t:file delete_file_perms;
++ write_files_pattern($1, user_tmp_t, user_tmp_t)
+')
+
+########################################
+## <summary>
- ## Do not audit attempts to use user ttys.
- ## </summary>
- ## <param name="domain">
-@@ -2851,6 +3074,7 @@
++## Delete all users files in /tmp
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_delete_user_tmp_files',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ allow $1 user_tmp_t:file delete_file_perms;
+ ')
+
+ ########################################
+@@ -2851,6 +3093,7 @@
')
read_files_pattern($1,userdomain,userdomain)
@@ -29991,7 +30109,7 @@
kernel_search_proc($1)
')
-@@ -2965,6 +3189,24 @@
+@@ -2965,6 +3208,24 @@
########################################
## <summary>
@@ -30016,7 +30134,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -2981,3 +3223,313 @@
+@@ -2981,3 +3242,313 @@
allow $1 userdomain:dbus send_msg;
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.784
retrieving revision 1.785
diff -u -r1.784 -r1.785
--- selinux-policy.spec 5 Feb 2009 13:44:44 -0000 1.784
+++ selinux-policy.spec 6 Feb 2009 17:48:29 -0000 1.785
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.4
-Release: 3%{?dist}
+Release: 4%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -444,6 +444,9 @@
%endif
%changelog
+* Thu Feb 5 2009 Dan Walsh <dwalsh at redhat.com> 3.6.4-4
+- Fix staff_t domain
+
* Thu Feb 5 2009 Dan Walsh <dwalsh at redhat.com> 3.6.4-3
- Grab remainder of network_peer_controls patch
More information about the fedora-extras-commits
mailing list