From 1fed36ae689e31707094e9917d5a3ac19b52bce4 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jan 11 2010 16:00:57 +0000 Subject: - Fixes for iscsid - Allow openvpn to bind to http port - Add wine_mmap_zero_ignore boolean --- diff --git a/policy-20100106.patch b/policy-20100106.patch index 9df642a..f06d9a5 100644 --- a/policy-20100106.patch +++ b/policy-20100106.patch @@ -175,6 +175,51 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dbus_system_bus_client(sandbox_net_client_t) dbus_read_config(sandbox_net_client_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.6.32/policy/modules/apps/wine.if +--- nsaserefpolicy/policy/modules/apps/wine.if 2010-01-06 11:05:50.000000000 +0100 ++++ serefpolicy-3.6.32/policy/modules/apps/wine.if 2010-01-11 16:01:58.000000000 +0100 +@@ -143,6 +143,10 @@ + userdom_unpriv_usertype($1, $1_wine_t) + userdom_manage_tmpfs_role($2, $1_wine_t) + ++ tunable_policy(`wine_mmap_zero_ignore',` ++ allow $1_wine_t self:memprotect mmap_zero; ++ ') ++ + domain_mmap_low_type($1_wine_t) + tunable_policy(`mmap_low_allowed',` + domain_mmap_low($1_wine_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.32/policy/modules/apps/wine.te +--- nsaserefpolicy/policy/modules/apps/wine.te 2010-01-06 11:05:50.000000000 +0100 ++++ serefpolicy-3.6.32/policy/modules/apps/wine.te 2010-01-11 16:01:03.000000000 +0100 +@@ -6,6 +6,15 @@ + # Declarations + # + ++## ++##

++## Ignore wine mmap_zero errors ++##

++## ++# ++gen_tunable(wine_mmap_zero_ignore, false) ++ ++ + type wine_t; + type wine_exec_t; + application_domain(wine_t, wine_exec_t) +@@ -29,6 +38,11 @@ + manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t) + files_tmp_filetrans(wine_t, wine_tmp_t,{ file dir }) + ++tunable_policy(`wine_mmap_zero_ignore',` ++ allow wine_t self:memprotect mmap_zero; ++') ++ ++ + domain_mmap_low_type(wine_t) + tunable_policy(`mmap_low_allowed',` + domain_mmap_low(wine_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.32/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2010-01-06 11:05:50.000000000 +0100 +++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc 2010-01-09 20:39:30.000000000 +0100 @@ -418,6 +463,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_sysfs(nagios_t) dev_read_urand(nagios_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.32/policy/modules/services/openvpn.te +--- nsaserefpolicy/policy/modules/services/openvpn.te 2010-01-06 11:05:50.000000000 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/openvpn.te 2010-01-11 15:49:03.000000000 +0100 +@@ -85,6 +85,7 @@ + corenet_udp_bind_generic_node(openvpn_t) + corenet_tcp_bind_openvpn_port(openvpn_t) + corenet_udp_bind_openvpn_port(openvpn_t) ++corenet_tcp_bind_http_port(openvpn_t) + corenet_tcp_connect_openvpn_port(openvpn_t) + corenet_tcp_connect_http_port(openvpn_t) + corenet_tcp_connect_http_cache_port(openvpn_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.32/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2010-01-06 11:05:50.000000000 +0100 +++ serefpolicy-3.6.32/policy/modules/services/postfix.te 2010-01-08 20:27:51.000000000 +0100 @@ -703,6 +759,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 fonts_cache_t:dir setattr; +') + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.32/policy/modules/system/mount.te +--- nsaserefpolicy/policy/modules/system/mount.te 2010-01-06 11:05:51.000000000 +0100 ++++ serefpolicy-3.6.32/policy/modules/system/mount.te 2010-01-11 15:53:37.000000000 +0100 +@@ -181,6 +181,7 @@ + auth_read_all_dirs_except_shadow(mount_t) + auth_read_all_files_except_shadow(mount_t) + files_mounton_non_security(mount_t) ++ files_rw_all_inherited_files(mount_t) + ') + + optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.32/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2010-01-06 11:05:51.000000000 +0100 +++ serefpolicy-3.6.32/policy/modules/system/unconfined.if 2010-01-08 16:35:49.000000000 +0100 diff --git a/selinux-policy.spec b/selinux-policy.spec index ff086d7..c3cc70a 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -453,6 +453,8 @@ exit 0 %changelog * Mon Jan 11 2010 Miroslav Grepl 3.6.32-69 - Fixes for iscsid +- Allow openvpn to bind to http port +- Add wine_mmap_zero_ignore boolean * Fri Jan 8 2010 Miroslav Grepl 3.6.32-68 - Fixes for xenconsoled