From 819f419b33dc7b1370fe7454a5eb376d5d423039 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jul 07 2009 21:06:52 +0000 Subject: - fix multiple directory ownership of mandirs --- diff --git a/policy-F12.patch b/policy-F12.patch index 2707bbb..50bc00f 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -300,14 +300,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.21/policy/mcs --- nsaserefpolicy/policy/mcs 2009-05-21 08:43:08.000000000 -0400 -+++ serefpolicy-3.6.21/policy/mcs 2009-07-01 10:43:35.000000000 -0400 ++++ serefpolicy-3.6.21/policy/mcs 2009-07-07 14:12:47.000000000 -0400 @@ -66,8 +66,8 @@ # # Note that getattr on files is always permitted. # -mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom } - ( h1 dom h2 ); -+mlsconstrain { file chr_file blk_file sock_file lnk_file fifo_file } { write setattr append unlink link rename ioctl lock execute relabelfrom } ++mlsconstrain { file chr_file blk_file lnk_file } { write setattr append unlink link rename ioctl lock execute relabelfrom } + (( h1 dom h2 ) or ( t1 == mlsfilewrite )); mlsconstrain dir { create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl } @@ -414,7 +414,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.21/policy/modules/admin/kismet.te --- nsaserefpolicy/policy/modules/admin/kismet.te 2009-01-05 15:39:44.000000000 -0500 -+++ serefpolicy-3.6.21/policy/modules/admin/kismet.te 2009-07-06 08:49:16.000000000 -0400 ++++ serefpolicy-3.6.21/policy/modules/admin/kismet.te 2009-07-07 14:23:36.000000000 -0400 @@ -20,21 +20,37 @@ type kismet_log_t; logging_log_file(kismet_log_t) @@ -487,7 +487,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + dbus_system_bus_client(kismet_t) + + optional_policy(` -+ networkmanager_dbus_chatkismet_t) ++ networkmanager_dbus_chat(kismet_t) + ') +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.21/policy/modules/admin/logrotate.te @@ -10767,7 +10767,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.21/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2009-05-21 08:43:08.000000000 -0400 -+++ serefpolicy-3.6.21/policy/modules/services/consolekit.te 2009-07-01 10:43:35.000000000 -0400 ++++ serefpolicy-3.6.21/policy/modules/services/consolekit.te 2009-07-07 14:09:28.000000000 -0400 @@ -11,7 +11,7 @@ init_daemon_domain(consolekit_t, consolekit_exec_t) @@ -11779,7 +11779,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.21/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2009-06-26 13:59:19.000000000 -0400 -+++ serefpolicy-3.6.21/policy/modules/services/cups.te 2009-07-05 22:15:25.000000000 -0400 ++++ serefpolicy-3.6.21/policy/modules/services/cups.te 2009-07-07 14:21:24.000000000 -0400 @@ -20,9 +20,18 @@ type cupsd_etc_t; files_config_file(cupsd_etc_t) @@ -12186,7 +12186,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +files_read_etc_files(cups_pdf_t) +files_read_usr_files(cups_pdf_t) + -+fs_rw_anon_inodefs_files(cupsd_pdf_t) ++fs_rw_anon_inodefs_files(cups_pdf_t) + +kernel_read_system_state(cups_pdf_t) + @@ -12889,8 +12889,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.21/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.21/policy/modules/services/devicekit.te 2009-07-06 14:26:02.000000000 -0400 -@@ -0,0 +1,237 @@ ++++ serefpolicy-3.6.21/policy/modules/services/devicekit.te 2009-07-07 14:07:07.000000000 -0400 +@@ -0,0 +1,239 @@ +policy_module(devicekit,1.0.0) + +######################################## @@ -13037,6 +13037,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# + +allow devicekit_disk_t self:capability { chown dac_override fowner fsetid net_admin sys_nice sys_ptrace sys_rawio }; ++allow devicekit_disk_t self:process signal_perms; ++ +allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; +allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms; + @@ -16182,6 +16184,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Add/remove user home directories userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t) userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.21/policy/modules/services/openvpn.te +--- nsaserefpolicy/policy/modules/services/openvpn.te 2009-03-23 13:47:11.000000000 -0400 ++++ serefpolicy-3.6.21/policy/modules/services/openvpn.te 2009-07-07 14:12:16.000000000 -0400 +@@ -86,6 +86,7 @@ + corenet_udp_bind_openvpn_port(openvpn_t) + corenet_tcp_connect_openvpn_port(openvpn_t) + corenet_tcp_connect_http_port(openvpn_t) ++corenet_tcp_connect_http_cache_port(openvpn_t) + corenet_rw_tun_tap_dev(openvpn_t) + corenet_sendrecv_openvpn_server_packets(openvpn_t) + corenet_sendrecv_openvpn_client_packets(openvpn_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.21/policy/modules/services/pcscd.te --- nsaserefpolicy/policy/modules/services/pcscd.te 2009-03-23 13:47:11.000000000 -0400 +++ serefpolicy-3.6.21/policy/modules/services/pcscd.te 2009-07-01 10:43:36.000000000 -0400 @@ -19814,7 +19827,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.21/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-06-26 13:59:19.000000000 -0400 -+++ serefpolicy-3.6.21/policy/modules/services/setroubleshoot.te 2009-07-01 14:04:44.000000000 -0400 ++++ serefpolicy-3.6.21/policy/modules/services/setroubleshoot.te 2009-07-07 14:10:21.000000000 -0400 @@ -22,13 +22,19 @@ type setroubleshoot_var_run_t; files_pid_file(setroubleshoot_var_run_t) @@ -19875,7 +19888,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol selinux_get_enforce_mode(setroubleshootd_t) selinux_validate_context(setroubleshootd_t) -@@ -94,23 +112,47 @@ +@@ -94,23 +112,50 @@ locallogin_dontaudit_use_fds(setroubleshootd_t) @@ -19923,8 +19936,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +miscfiles_read_localization(setroubleshoot_fixit_t) + -+permissive setroubleshoot_fixit_t; ++optional_policy(` ++ polkit_dbus_chat(setroubleshoot_fixit_t) ++') + ++permissive setroubleshoot_fixit_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.fc serefpolicy-3.6.21/policy/modules/services/shorewall.fc --- nsaserefpolicy/policy/modules/services/shorewall.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.21/policy/modules/services/shorewall.fc 2009-07-01 10:43:36.000000000 -0400 @@ -22730,7 +22746,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.21/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-06-26 13:59:19.000000000 -0400 -+++ serefpolicy-3.6.21/policy/modules/services/xserver.te 2009-07-01 10:43:36.000000000 -0400 ++++ serefpolicy-3.6.21/policy/modules/services/xserver.te 2009-07-07 15:47:58.000000000 -0400 @@ -34,6 +34,13 @@ ## @@ -23110,7 +23126,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -515,12 +589,45 @@ +@@ -515,12 +589,46 @@ ') optional_policy(` @@ -23129,6 +23145,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + optional_policy(` + devicekit_power_dbus_chat(xdm_t) ++ devicekit_disk_dbus_chat(xdm_t) + ') + + optional_policy(` @@ -23156,7 +23173,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol hostname_exec(xdm_t) ') -@@ -542,6 +649,28 @@ +@@ -542,6 +650,28 @@ ') optional_policy(` @@ -23185,7 +23202,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(xdm_t) ') -@@ -550,8 +679,9 @@ +@@ -550,8 +680,9 @@ ') optional_policy(` @@ -23197,7 +23214,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -560,7 +690,6 @@ +@@ -560,7 +691,6 @@ ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; ') @@ -23205,7 +23222,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` userhelper_dontaudit_search_config(xdm_t) -@@ -571,6 +700,10 @@ +@@ -571,6 +701,10 @@ ') optional_policy(` @@ -23216,7 +23233,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xfs_stream_connect(xdm_t) ') -@@ -587,7 +720,7 @@ +@@ -587,7 +721,7 @@ # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -23225,7 +23242,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit xserver_t self:capability chown; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:memprotect mmap_zero; -@@ -602,9 +735,11 @@ +@@ -602,9 +736,11 @@ allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -23237,7 +23254,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xserver_t { input_xevent_t input_xevent_type }:x_event send; -@@ -616,13 +751,14 @@ +@@ -616,13 +752,14 @@ type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t; allow xserver_t { rootwindow_t x_domain }:x_drawable send; @@ -23253,7 +23270,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -635,9 +771,19 @@ +@@ -635,9 +772,19 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -23273,7 +23290,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -680,9 +826,14 @@ +@@ -680,9 +827,14 @@ dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -23288,7 +23305,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) -@@ -697,8 +848,12 @@ +@@ -697,8 +849,12 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -23301,7 +23318,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -720,6 +875,7 @@ +@@ -720,6 +876,7 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -23309,7 +23326,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol modutils_domtrans_insmod(xserver_t) -@@ -742,7 +898,7 @@ +@@ -742,7 +899,7 @@ ') ifdef(`enable_mls',` @@ -23318,7 +23335,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh; ') -@@ -774,12 +930,20 @@ +@@ -774,12 +931,20 @@ ') optional_policy(` @@ -23340,7 +23357,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_domtrans(xserver_t) ') -@@ -806,7 +970,7 @@ +@@ -806,7 +971,7 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -23349,7 +23366,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -827,9 +991,14 @@ +@@ -827,9 +992,14 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -23364,7 +23381,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -844,11 +1013,14 @@ +@@ -844,11 +1014,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -23380,7 +23397,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -856,6 +1028,11 @@ +@@ -856,6 +1029,11 @@ rhgb_rw_tmpfs_files(xserver_t) ') @@ -23392,7 +23409,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Rules common to all X window domains -@@ -881,6 +1058,8 @@ +@@ -881,6 +1059,8 @@ # X Server # can read server-owned resources allow x_domain xserver_t:x_resource read; @@ -23401,7 +23418,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # can mess with own clients allow x_domain self:x_client { manage destroy }; -@@ -905,6 +1084,8 @@ +@@ -905,6 +1085,8 @@ # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -23410,7 +23427,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # X Colormaps # can use the default colormap allow x_domain rootwindow_t:x_colormap { read use add_color }; -@@ -972,17 +1153,49 @@ +@@ -972,17 +1154,49 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; diff --git a/selinux-policy.spec b/selinux-policy.spec index f709c50..2d0e05c 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -185,7 +185,7 @@ fi; %description SELinux Reference Policy - modular. -Based off of reference policy: Checked out revision 3005. +Based off of reference policy: Checked out revision 3011. %build