From 41c9b1459fec3f80cbff30561f52b682462c3d53 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Apr 27 2010 10:41:58 +0000 Subject: - Fixes for lirc policy --- diff --git a/policy-20090521.patch b/policy-20090521.patch index bc58591..7901bec 100644 --- a/policy-20090521.patch +++ b/policy-20090521.patch @@ -1766,7 +1766,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Getattr the point-to-point device. diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.12/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-01-19 12:51:11.969607384 +0100 -+++ serefpolicy-3.6.12/policy/modules/kernel/corenetwork.te.in 2010-01-19 12:51:30.720620172 +0100 ++++ serefpolicy-3.6.12/policy/modules/kernel/corenetwork.te.in 2010-04-27 12:15:33.412147158 +0200 @@ -107,6 +107,7 @@ network_port(giftd, tcp,1213,s0) network_port(gopher, tcp,70,s0, udp,70,s0) @@ -1784,9 +1784,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(ipsecnat, tcp,4500,s0, udp,4500,s0) network_port(ircd, tcp,6667,s0) network_port(ipmi, udp,623,s0, udp,664,s0) -@@ -134,7 +135,7 @@ +@@ -133,8 +134,9 @@ + network_port(ktalkd, udp,517,s0, udp,518,s0) network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0) type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon ++network_port(lirc, tcp,8765,s0) network_port(lmtp, tcp,24,s0, udp,24,s0) -network_port(mail, tcp,2000,s0) +network_port(mail, tcp,2000,s0, tcp,3905,s0) @@ -3732,23 +3734,92 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.fc serefpolicy-3.6.12/policy/modules/services/lircd.fc +--- nsaserefpolicy/policy/modules/services/lircd.fc 2010-01-19 12:51:12.080617875 +0100 ++++ serefpolicy-3.6.12/policy/modules/services/lircd.fc 2010-04-27 12:14:53.161897299 +0200 +@@ -6,4 +6,6 @@ + + /usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0) + +-/var/run/lircd\.pid gen_context(system_u:object_r:lircd_var_run_t,s0) ++/var/run/lircd\.pid -- gen_context(system_u:object_r:lircd_var_run_t,s0) ++/var/run/lircd(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0) ++/var/run/lirc(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.12/policy/modules/services/lircd.te --- nsaserefpolicy/policy/modules/services/lircd.te 2010-01-19 12:51:12.082608701 +0100 -+++ serefpolicy-3.6.12/policy/modules/services/lircd.te 2010-01-19 12:51:30.782616396 +0100 -@@ -45,6 +45,13 @@ - dev_filetrans(lircd_t, lircd_sock_t, sock_file ) - dev_read_generic_usb_dev(lircd_t) ++++ serefpolicy-3.6.12/policy/modules/services/lircd.te 2010-04-27 12:13:21.313897261 +0200 +@@ -12,25 +12,22 @@ + type lircd_initrc_exec_t; + init_script_file(lircd_initrc_exec_t) + +-# pid files +-type lircd_var_run_t; +-files_pid_file(lircd_var_run_t) +- +-# etc file + type lircd_etc_t; + files_config_file(lircd_etc_t) + +-# type for lircd /dev/ sock file +-type lircd_sock_t; +-files_type(lircd_sock_t) ++type lircd_var_run_t alias lircd_sock_t; ++files_pid_file(lircd_var_run_t) + + ######################################## + # + # lircd local policy + # +-allow lircd_t self:process signal; ++allow lircd_t self:capability { chown kill sys_admin }; ++allow lircd_t self:process { fork signal }; + allow lircd_t self:unix_dgram_socket create_socket_perms; ++allow lircd_t self:fifo_file rw_fifo_file_perms; ++allow lircd_t self:tcp_socket create_stream_socket_perms; + + # etc file + read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t) +@@ -38,21 +35,34 @@ + # pid file + manage_dirs_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) + manage_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) ++manage_sock_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) + files_pid_filetrans(lircd_t,lircd_var_run_t, { dir file }) + ++corenet_tcp_bind_generic_node(lircd_t) ++corenet_tcp_bind_lirc_port(lircd_t) ++corenet_tcp_connect_lirc_port(lircd_t) ++corenet_tcp_sendrecv_all_ports(lircd_t) ++corenet_tcp_sendrecv_generic_if(lircd_t) ++ + # /dev/lircd socket +-manage_sock_files_pattern(lircd_t, lircd_sock_t, lircd_sock_t) +-dev_filetrans(lircd_t, lircd_sock_t, sock_file ) ++dev_filetrans(lircd_t, lircd_var_run_t, sock_file ) + dev_read_generic_usb_dev(lircd_t) ++dev_rw_mouse(lircd_t) +dev_filetrans_lirc(lircd_t) -+dev_rw_input_dev(lircd_t) +dev_rw_lirc(lircd_t) -+dev_rw_mouse(lircd_t) ++dev_rw_input_dev(lircd_t) + +-logging_send_syslog_msg(lircd_t) +- +-files_read_etc_files(lircd_t) + files_list_var(lircd_t) + files_manage_generic_locks(lircd_t) + files_read_all_locks(lircd_t) ++files_read_etc_files(lircd_t) + + fs_list_inotifyfs(lircd_t) + ++term_use_ptmx(lircd_t) + -+dev_read_generic_usb_dev(lircd_t) ++logging_send_syslog_msg(lircd_t) + - logging_send_syslog_msg(lircd_t) + miscfiles_read_localization(lircd_t) - files_read_etc_files(lircd_t) ++sysnet_dns_name_resolve(lircd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.6.12/policy/modules/services/mailman.if --- nsaserefpolicy/policy/modules/services/mailman.if 2010-01-19 12:51:12.085617812 +0100 +++ serefpolicy-3.6.12/policy/modules/services/mailman.if 2010-01-19 12:51:30.783607654 +0100 diff --git a/selinux-policy.spec b/selinux-policy.spec index 413e45f..4aaf4b3 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.12 -Release: 97%{?dist} +Release: 98%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -442,6 +442,9 @@ exit 0 %endif %changelog +* Tue Apr 27 2010 Miroslav Grepl 3.6.12-98 +- Fixes for lirc policy + * Fri Apr 23 2010 Miroslav Grepl 3.6.12-97 - Add ldap_stream_connect_dirsrv interface