From 686d80e2636a3365e33e016569bd95b3c5e2eaae Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jun 10 2009 17:46:51 +0000 Subject: - Allow setroubleshoot to run mlocate --- diff --git a/policy-20090521.patch b/policy-20090521.patch index bdd57b5..c9ade97 100644 --- a/policy-20090521.patch +++ b/policy-20090521.patch @@ -77,6 +77,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/bin/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.12/policy/modules/apps/qemu.te +--- nsaserefpolicy/policy/modules/apps/qemu.te 2009-05-21 08:27:59.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/apps/qemu.te 2009-06-09 06:55:30.000000000 -0400 +@@ -93,6 +93,7 @@ + + optional_policy(` + virt_manage_images(qemu_t) ++ virt_append_log(qemu_t) + ') + + optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.12/policy/modules/apps/sandbox.te --- nsaserefpolicy/policy/modules/apps/sandbox.te 2009-05-21 08:27:59.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/apps/sandbox.te 2009-05-22 10:14:07.000000000 -0400 @@ -503,6 +514,35 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` gen_require(` class dbus send_msg; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.12/policy/modules/services/dcc.te +--- nsaserefpolicy/policy/modules/services/dcc.te 2009-05-21 08:27:59.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/dcc.te 2009-06-09 07:21:39.000000000 -0400 +@@ -130,11 +130,13 @@ + + # Access files in /var/dcc. The map file can be updated + allow dcc_client_t dcc_var_t:dir list_dir_perms; +-read_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t) ++manage_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t) + read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t) + + kernel_read_system_state(dcc_client_t) + ++fs_getattr_all_fs(dcc_client_t) ++ + corenet_all_recvfrom_unlabeled(dcc_client_t) + corenet_all_recvfrom_netlabel(dcc_client_t) + corenet_udp_bind_generic_node(dcc_client_t) +@@ -154,6 +156,10 @@ + userdom_use_user_terminals(dcc_client_t) + + optional_policy(` ++ amavis_read_spool_files(dcc_client_t) ++') ++ ++optional_policy(` + spamassassin_read_spamd_tmp_files(dcc_client_t) + ') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.12/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 2009-05-21 08:27:59.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/devicekit.te 2009-05-21 12:57:07.000000000 -0400 @@ -629,6 +669,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.6.12/policy/modules/services/pyzor.te +--- nsaserefpolicy/policy/modules/services/pyzor.te 2009-05-21 08:27:59.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/pyzor.te 2009-06-09 07:21:04.000000000 -0400 +@@ -97,6 +97,8 @@ + kernel_read_kernel_sysctls(pyzor_t) + kernel_read_system_state(pyzor_t) + ++fs_getattr_xattr_fs(pyzor_t) ++ + corecmd_list_bin(pyzor_t) + corecmd_getattr_bin_files(pyzor_t) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.12/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2009-05-21 08:27:59.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/rpc.te 2009-06-08 08:39:25.000000000 -0400 @@ -677,6 +729,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol postfix_domtrans_master(sendmail_t) postfix_read_config(sendmail_t) postfix_search_spool(sendmail_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.12/policy/modules/services/setroubleshoot.te +--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-05-21 08:27:59.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/setroubleshoot.te 2009-06-10 11:22:59.000000000 -0400 +@@ -121,6 +121,10 @@ + userdom_dontaudit_read_user_home_content_files(setroubleshootd_t) + + optional_policy(` ++ locate_read_lib_files(setroubleshootd_t) ++') ++ ++optional_policy(` + dbus_system_bus_client(setroubleshootd_t) + dbus_connect_system_bus(setroubleshootd_t) + dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.12/policy/modules/services/spamassassin.fc --- nsaserefpolicy/policy/modules/services/spamassassin.fc 2009-05-21 08:27:59.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/spamassassin.fc 2009-05-21 08:31:58.000000000 -0400 @@ -687,7 +753,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-05-21 08:27:59.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-05-21 12:58:18.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-06-09 06:54:00.000000000 -0400 @@ -183,6 +183,7 @@ seutil_read_default_contexts(virtd_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 8dbf1d8..63e52bc 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.12 -Release: 47%{?dist} +Release: 48%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -475,6 +475,9 @@ exit 0 %endif %changelog +* Thu Jun 4 2009 Dan Walsh 3.6.12-48 +- Allow setroubleshoot to run mlocate + * Thu Jun 4 2009 Dan Walsh 3.6.12-47 - Allow fprintd to read /proc