From 2dd7d137ebef6f222d3a02610c1711548fe1fc3a Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Apr 08 2010 14:10:30 +0000 Subject: - Add label for /opt/google/chrome/chrome-sandbox - Allow asterisk to bind and connect to sip tcp ports --- diff --git a/policy-20100106.patch b/policy-20100106.patch index cc88c42..bc8da10 100644 --- a/policy-20100106.patch +++ b/policy-20100106.patch @@ -1090,6 +1090,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(smoltclient_t) optional_policy(` +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tzdata.te serefpolicy-3.6.32/policy/modules/admin/tzdata.te +--- nsaserefpolicy/policy/modules/admin/tzdata.te 2010-01-18 18:24:22.575546401 +0100 ++++ serefpolicy-3.6.32/policy/modules/admin/tzdata.te 2010-04-08 10:43:55.344115415 +0200 +@@ -18,6 +18,7 @@ + + files_read_etc_files(tzdata_t) + files_search_spool(tzdata_t) ++files_dontaudit_rw_tmp_files(tzdata_t) + + fs_getattr_xattr_fs(tzdata_t) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.32/policy/modules/admin/usermanage.te --- nsaserefpolicy/policy/modules/admin/usermanage.te 2010-01-18 18:24:22.584530156 +0100 +++ serefpolicy-3.6.32/policy/modules/admin/usermanage.te 2010-03-04 16:57:21.397534068 +0100 @@ -1185,6 +1196,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # allow searching for cdrom-drive dev_list_all_dev_nodes(cdrecord_t) dev_read_sysfs(cdrecord_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.fc serefpolicy-3.6.32/policy/modules/apps/chrome.fc +--- nsaserefpolicy/policy/modules/apps/chrome.fc 2010-01-18 18:24:22.587539966 +0100 ++++ serefpolicy-3.6.32/policy/modules/apps/chrome.fc 2010-04-07 10:02:28.578626587 +0200 +@@ -1,2 +1,4 @@ + ++/opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) ++ + /usr/lib(64)?/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.if serefpolicy-3.6.32/policy/modules/apps/chrome.if --- nsaserefpolicy/policy/modules/apps/chrome.if 2010-01-18 18:24:22.587539966 +0100 +++ serefpolicy-3.6.32/policy/modules/apps/chrome.if 2010-03-18 13:26:17.264514490 +0100 @@ -3890,7 +3909,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol HOME_ROOT/lost\+found/.* <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.32/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2010-02-21 20:44:28.921325502 +0100 -+++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2010-03-23 14:20:49.996390941 +0100 ++++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2010-04-08 10:43:26.768115113 +0200 @@ -1152,6 +1152,102 @@ allow $1 file_type:filesystem unmount; ') @@ -4222,7 +4241,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3598,26 +3772,25 @@ +@@ -3480,6 +3654,24 @@ + read_files_pattern($1, tmp_t, tmp_t) + ') + ++####################################### ++## ++## dontaudit Read and write files in the tmp directory (/tmp). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_dontaudit_rw_tmp_files',` ++ gen_require(` ++ type tmp_t; ++ ') ++ ++ dontaudit $1 tzdata_t:file rw_file_perms; ++') ++ + ######################################## + ## + ## Manage temporary directories in /tmp. +@@ -3598,26 +3790,25 @@ ######################################## ## @@ -4254,7 +4298,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## of all tmp files. ## ## -@@ -3626,18 +3799,18 @@ +@@ -3626,18 +3817,18 @@ ## ## # @@ -4277,7 +4321,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -3645,30 +3818,31 @@ +@@ -3645,30 +3836,31 @@ ## ## # @@ -4315,7 +4359,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4438,7 +4612,7 @@ +@@ -4438,7 +4630,7 @@ ######################################## ## @@ -4324,7 +4368,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -4446,17 +4620,17 @@ +@@ -4446,17 +4638,17 @@ ## ## # @@ -4346,7 +4390,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -4464,17 +4638,17 @@ +@@ -4464,17 +4656,17 @@ ## ## # @@ -4368,7 +4412,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -4482,12 +4656,12 @@ +@@ -4482,12 +4674,12 @@ ## ## # @@ -4384,7 +4428,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4846,6 +5020,25 @@ +@@ -4846,6 +5038,25 @@ search_dirs_pattern($1, var_t, var_run_t) ') @@ -4410,7 +4454,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Do not audit attempts to search -@@ -4970,9 +5163,9 @@ +@@ -4970,9 +5181,9 @@ rw_files_pattern($1, var_run_t, var_run_t) ') @@ -4422,7 +4466,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -4980,13 +5173,12 @@ +@@ -4980,13 +5191,12 @@ ## ## # @@ -4439,7 +4483,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -5009,24 +5201,6 @@ +@@ -5009,24 +5219,6 @@ ######################################## ## @@ -4464,7 +4508,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to ioctl daemon runtime data files. ## ## -@@ -5131,6 +5305,24 @@ +@@ -5131,6 +5323,24 @@ ######################################## ## @@ -4489,7 +4533,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Search the contents of generic spool ## directories (/var/spool). ## -@@ -5537,3 +5729,23 @@ +@@ -5537,3 +5747,23 @@ dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms; ') @@ -4959,6 +5003,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1 kernel_t:process sigkill; +') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.6.32/policy/modules/kernel/storage.if +--- nsaserefpolicy/policy/modules/kernel/storage.if 2010-01-18 18:24:22.714539638 +0100 ++++ serefpolicy-3.6.32/policy/modules/kernel/storage.if 2010-04-08 11:06:41.815365567 +0200 +@@ -535,6 +535,26 @@ + + ######################################## + ## ++## Do not audit attempts made by the caller to write ++## removable devices device nodes. ++## ++## ++## ++## The type of the process to not audit. ++## ++## ++# ++interface(`storage_dontaudit_write_removable_device',` ++ gen_require(` ++ type removable_device_t; ++ ++ ') ++ ++ dontaudit $1 removable_device_t:blk_file write_blk_file_perms; ++') ++ ++######################################## ++## + ## Allow the caller to set the attributes of removable + ## devices device nodes. + ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.32/policy/modules/kernel/terminal.if --- nsaserefpolicy/policy/modules/kernel/terminal.if 2010-01-18 18:24:22.716539752 +0100 +++ serefpolicy-3.6.32/policy/modules/kernel/terminal.if 2010-02-26 09:33:59.084547345 +0100 @@ -5822,7 +5896,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to read and write Apache diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.32/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2010-01-18 18:24:22.739530246 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/apache.te 2010-03-18 13:31:20.256514411 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/apache.te 2010-04-06 08:21:30.569541120 +0200 @@ -67,6 +67,13 @@ ## @@ -5879,7 +5953,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_read_iso9660_files(httpd_t) auth_use_nsswitch(httpd_t) -@@ -483,8 +493,14 @@ +@@ -458,6 +468,7 @@ + + tunable_policy(`allow_httpd_mod_auth_pam',` + auth_domtrans_chkpwd(httpd_t) ++ logging_send_audit_msgs(httpd_t) + ') + + ## +@@ -483,8 +494,14 @@ corenet_tcp_connect_pop_port(httpd_t) corenet_sendrecv_pop_client_packets(httpd_t) mta_send_mail(httpd_t) @@ -5895,7 +5977,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_can_network_relay',` -@@ -588,6 +604,9 @@ +@@ -588,6 +605,9 @@ optional_policy(` cobbler_search_lib(httpd_t) @@ -5905,7 +5987,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -612,6 +631,11 @@ +@@ -612,6 +632,11 @@ avahi_dbus_chat(httpd_t) ') ') @@ -5917,7 +5999,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` kerberos_keytab_template(httpd, httpd_t) ') -@@ -756,8 +780,14 @@ +@@ -756,8 +781,14 @@ corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t) corenet_tcp_connect_mysqld_port(httpd_suexec_t) corenet_sendrecv_mysqld_client_packets(httpd_suexec_t) @@ -5933,7 +6015,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` mysql_stream_connect(httpd_php_t) -@@ -895,6 +925,9 @@ +@@ -895,6 +926,9 @@ sysnet_read_config(httpd_sys_script_t) @@ -5943,7 +6025,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -906,6 +939,7 @@ +@@ -906,6 +940,7 @@ fs_manage_nfs_files(httpd_sys_script_t) fs_manage_nfs_symlinks(httpd_sys_script_t) fs_exec_nfs_files(httpd_sys_script_t) @@ -5951,7 +6033,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_manage_nfs_dirs(httpd_suexec_t) fs_manage_nfs_files(httpd_suexec_t) -@@ -945,6 +978,7 @@ +@@ -945,6 +979,7 @@ fs_manage_cifs_files(httpd_suexec_t) fs_manage_cifs_symlinks(httpd_suexec_t) fs_exec_cifs_files(httpd_suexec_t) @@ -6025,8 +6107,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Execute asterisk diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.6.32/policy/modules/services/asterisk.te --- nsaserefpolicy/policy/modules/services/asterisk.te 2010-01-18 18:24:22.742540405 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/asterisk.te 2010-03-01 16:56:10.526493733 +0100 -@@ -128,6 +128,7 @@ ++++ serefpolicy-3.6.32/policy/modules/services/asterisk.te 2010-04-06 08:36:26.295539661 +0200 +@@ -104,6 +104,8 @@ + corenet_udp_bind_generic_node(asterisk_t) + corenet_tcp_bind_asterisk_port(asterisk_t) + corenet_udp_bind_asterisk_port(asterisk_t) ++corenet_tcp_bind_sip_port(asterisk_t) ++corenet_tcp_connect_sip_port(asterisk_t) + corenet_udp_bind_sip_port(asterisk_t) + corenet_sendrecv_asterisk_server_packets(asterisk_t) + # for VOIP voice channels. +@@ -128,6 +130,7 @@ files_read_usr_files(asterisk_t) fs_getattr_all_fs(asterisk_t) @@ -9757,7 +9848,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.32/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2010-01-18 18:24:22.825542512 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/networkmanager.te 2010-03-30 16:16:09.963611408 +0200 ++++ serefpolicy-3.6.32/policy/modules/services/networkmanager.te 2010-04-08 10:36:24.650115367 +0200 @@ -45,12 +45,14 @@ allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms; allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -9773,6 +9864,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) +@@ -180,7 +182,7 @@ + ') + + optional_policy(` +- consoletype_exec(NetworkManager_t) ++ consoletype_domtrans(NetworkManager_t) + ') + + optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.6.32/policy/modules/services/nis.fc --- nsaserefpolicy/policy/modules/services/nis.fc 2010-01-18 18:24:22.826540614 +0100 +++ serefpolicy-3.6.32/policy/modules/services/nis.fc 2010-01-29 09:57:02.171614102 +0100 @@ -12397,7 +12497,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpm_dontaudit_manage_db(setroubleshoot_fixit_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.6.32/policy/modules/services/snmp.te --- nsaserefpolicy/policy/modules/services/snmp.te 2010-01-18 18:24:22.892539860 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/snmp.te 2010-03-18 13:42:40.063765395 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/snmp.te 2010-04-08 10:56:56.414115509 +0200 @@ -25,9 +25,9 @@ # # Local policy @@ -12418,6 +12518,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_agentx_port(snmpd_t) corenet_udp_bind_agentx_port(snmpd_t) +@@ -98,6 +99,7 @@ + + storage_dontaudit_read_fixed_disk(snmpd_t) + storage_dontaudit_read_removable_device(snmpd_t) ++storage_dontaudit_write_removable_device(snmpd_t) + + auth_use_nsswitch(snmpd_t) + auth_read_all_dirs_except_shadow(snmpd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.6.32/policy/modules/services/snort.te --- nsaserefpolicy/policy/modules/services/snort.te 2010-01-18 18:24:22.893530558 +0100 +++ serefpolicy-3.6.32/policy/modules/services/snort.te 2010-03-23 12:56:33.380640374 +0100 @@ -13231,8 +13339,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +logging_send_syslog_msg(usbmuxd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.32/policy/modules/services/virt.if --- nsaserefpolicy/policy/modules/services/virt.if 2010-01-18 18:24:22.913542181 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/virt.if 2010-03-23 13:33:50.292390176 +0100 -@@ -194,6 +194,7 @@ ++++ serefpolicy-3.6.32/policy/modules/services/virt.if 2010-04-06 08:25:52.847789753 +0200 +@@ -118,6 +118,7 @@ + files_search_etc($1) + manage_files_pattern($1, virt_etc_t, virt_etc_t) + manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) ++ manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) + ') + + ######################################## +@@ -194,6 +195,7 @@ files_search_var_lib($1) read_files_pattern($1, virt_var_lib_t, virt_var_lib_t) @@ -13240,7 +13356,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -444,6 +445,9 @@ +@@ -444,6 +446,9 @@ domain_user_exemption_target($1_t) @@ -13250,7 +13366,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type $1_tmp_t; files_tmp_file($1_tmp_t) -@@ -453,13 +457,18 @@ +@@ -453,13 +458,18 @@ type $1_image_t, virt_image_type; files_type($1_image_t) dev_node($1_image_t) @@ -13269,7 +13385,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rw_blk_files_pattern($1_t, $1_image_t, $1_image_t) manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) -@@ -486,7 +495,6 @@ +@@ -486,7 +496,6 @@ optional_policy(` xserver_rw_shm($1_t) @@ -14677,7 +14793,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2010-01-18 18:24:22.923530253 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-03-18 14:18:46.911764068 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-04-08 15:04:19.058115631 +0200 @@ -1,5 +1,5 @@ -policy_module(xserver, 3.2.3) @@ -15025,18 +15141,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_setattr_video_dev(xdm_t) dev_getattr_scanner_dev(xdm_t) dev_setattr_scanner_dev(xdm_t) -@@ -549,8 +575,10 @@ +@@ -549,8 +575,11 @@ storage_dontaudit_rw_fuse(xdm_t) term_setattr_console(xdm_t) +term_use_console(xdm_t) term_use_unallocated_ttys(xdm_t) term_setattr_unallocated_ttys(xdm_t) ++term_relabel_unallocated_ttys(xdm_t) +term_relabel_all_ttys(xdm_t) auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) -@@ -566,7 +594,6 @@ +@@ -566,7 +595,6 @@ logging_read_generic_logs(xdm_t) @@ -15044,7 +15161,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_search_man_pages(xdm_t) miscfiles_read_localization(xdm_t) miscfiles_read_fonts(xdm_t) -@@ -583,6 +610,7 @@ +@@ -583,6 +611,7 @@ userdom_signal_all_users(xdm_t) userdom_stream_connect(xdm_t) userdom_manage_user_tmp_dirs(xdm_t) @@ -15052,7 +15169,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_manage_user_tmp_sockets(xdm_t) userdom_manage_tmpfs_role(system_r, xdm_t) -@@ -635,6 +663,7 @@ +@@ -635,6 +664,7 @@ dontaudit xdm_dbusd_t xdm_var_lib_t:dir search_dir_perms; xserver_xdm_append_log(xdm_dbusd_t) @@ -15060,7 +15177,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_bin_entry_type(xdm_t) -@@ -667,7 +696,9 @@ +@@ -667,7 +697,9 @@ ') optional_policy(` @@ -15070,7 +15187,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -685,11 +716,6 @@ +@@ -685,11 +717,6 @@ optional_policy(` # Do not audit attempts to check whether user root has email mta_dontaudit_getattr_spool_files(xdm_t) @@ -15082,7 +15199,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -705,13 +731,18 @@ +@@ -705,13 +732,18 @@ ') optional_policy(` @@ -15103,7 +15220,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') # On crash gdm execs gdb to dump stack -@@ -726,6 +757,10 @@ +@@ -726,6 +758,10 @@ ') optional_policy(` @@ -15114,7 +15231,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(xdm_t) ') -@@ -767,6 +802,14 @@ +@@ -767,6 +803,14 @@ # X server local policy # @@ -15129,7 +15246,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # setuid/setgid for the wrapper program to change UID # sys_rawio is for iopl access - should not be needed for frame-buffer # sys_admin, locking shared mem? chowning IPC message queues or semaphores? -@@ -802,18 +845,12 @@ +@@ -802,18 +846,12 @@ allow xserver_t xauth_home_t:file read_file_perms; @@ -15149,7 +15266,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -907,6 +944,7 @@ +@@ -907,6 +945,7 @@ mls_process_write_to_clearance(xserver_t) mls_file_read_to_clearance(xserver_t) mls_file_write_all_levels(xserver_t) @@ -15157,7 +15274,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -928,13 +966,14 @@ +@@ -928,13 +967,14 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -15173,7 +15290,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -952,7 +991,7 @@ +@@ -952,7 +992,7 @@ ') ifdef(`enable_mls',` @@ -15182,7 +15299,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh; ') -@@ -961,15 +1000,17 @@ +@@ -961,15 +1001,17 @@ # but typeattribute doesnt work in conditionals allow xserver_t xserver_t:x_server *; @@ -15203,7 +15320,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xserver_t xextension_type:x_extension *; allow xserver_t { x_domain xserver_t }:x_resource *; allow xserver_t xevent_type:{ x_event x_synthetic_event } *; -@@ -1016,6 +1057,7 @@ +@@ -1016,6 +1058,7 @@ # cjp: when xdm is configurable via tunable these # rules will be enabled only when xdm is enabled @@ -15211,7 +15328,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xserver_t xdm_t:process { signal getpgid }; allow xserver_t xdm_t:shm rw_shm_perms; -@@ -1027,9 +1069,9 @@ +@@ -1027,9 +1070,9 @@ read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t) # Label pid and temporary files with derived types. @@ -15224,7 +15341,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Run xkbcomp. allow xserver_t xkb_var_lib_t:lnk_file read; -@@ -1088,136 +1130,139 @@ +@@ -1088,136 +1131,139 @@ # # Hacks diff --git a/selinux-policy.spec b/selinux-policy.spec index da31759..33361ea 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.32 -Release: 109%{?dist} +Release: 110%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,10 @@ exit 0 %endif %changelog +* Thu Apr 8 2010 Miroslav Grepl 3.6.32-110 +- Add label for /opt/google/chrome/chrome-sandbox +- Allow asterisk to bind and connect to sip tcp ports + * Fri Apr 2 2010 Miroslav Grepl 3.6.32-109 - Allow hald to manage block device files