From 812930ae8d180c4b7a6219cf56ab969e87b734fb Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Oct 28 2008 23:22:15 +0000 Subject: - Allow openoffice execstack/execmem privs --- diff --git a/policy-20080710.patch b/policy-20080710.patch index c08338e..e90cb7a 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -5821,6 +5821,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.te serefpolicy-3.5.13/policy/modules/apps/webalizer.te +--- nsaserefpolicy/policy/modules/apps/webalizer.te 2008-10-16 17:21:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/webalizer.te 2008-10-28 19:20:51.000000000 -0400 +@@ -68,6 +68,7 @@ + + fs_search_auto_mountpoints(webalizer_t) + fs_getattr_xattr_fs(webalizer_t) ++fs_rw_anon_inodefs_files(webalizer_t) + + files_read_etc_files(webalizer_t) + files_read_etc_runtime_files(webalizer_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.5.13/policy/modules/apps/wine.fc --- nsaserefpolicy/policy/modules/apps/wine.fc 2008-08-07 11:15:02.000000000 -0400 +++ serefpolicy-3.5.13/policy/modules/apps/wine.fc 2008-10-28 10:56:19.000000000 -0400 @@ -9491,8 +9502,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.5.13/policy/modules/roles/unprivuser.te --- nsaserefpolicy/policy/modules/roles/unprivuser.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/roles/unprivuser.te 2008-10-28 11:05:49.000000000 -0400 -@@ -13,3 +13,20 @@ ++++ serefpolicy-3.5.13/policy/modules/roles/unprivuser.te 2008-10-28 19:21:12.000000000 -0400 +@@ -13,3 +13,18 @@ userdom_unpriv_user_template(user) @@ -9511,8 +9522,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + setroubleshoot_dontaudit_stream_connect(user_t) +') -+ -+gen_user(user_u, user, user_r, s0, s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.fc serefpolicy-3.5.13/policy/modules/roles/webadm.fc --- nsaserefpolicy/policy/modules/roles/webadm.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.5.13/policy/modules/roles/webadm.fc 2008-10-28 10:56:19.000000000 -0400 @@ -33328,18 +33337,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +define(`manage_key_perms', `{ create link read search setattr view write } ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.5.13/policy/users --- nsaserefpolicy/policy/users 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/users 2008-10-28 11:14:49.000000000 -0400 -@@ -24,12 +24,9 @@ - # SELinux user identity for a Linux user. If you do not want to ++++ serefpolicy-3.5.13/policy/users 2008-10-28 19:21:24.000000000 -0400 +@@ -25,11 +25,8 @@ # permit any access to such users, then remove this entry. # --gen_user(user_u, user, user_r, s0, s0) + gen_user(user_u, user, user_r, s0, s0) -gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) -gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) - -# Until order dependence is fixed for users: -gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) -+#gen_user(user_u, user, user_r, s0, s0) +gen_user(staff_u, user, staff_r system_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) diff --git a/selinux-policy.spec b/selinux-policy.spec index 99aae39..63ade9d 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -16,7 +16,7 @@ %define POLICYVER 23 %define libsepolver 2.0.20-1 %define POLICYCOREUTILSVER 2.0.54-2 -%define CHECKPOLICYVER 2.0.16-1 +%define CHECKPOLICYVER 2.0.16-3 Summary: SELinux policy configuration Name: selinux-policy Version: 3.5.13