From 883ff39222044249d48c6b6f0d18574fba7a980e Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: May 31 2007 14:06:16 +0000 Subject: - Add spufs --- diff --git a/policy-20070501.patch b/policy-20070501.patch index 4c63b93..12fa6c1 100644 --- a/policy-20070501.patch +++ b/policy-20070501.patch @@ -700,7 +700,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-2.6.4/policy/modules/admin/su.if --- nsaserefpolicy/policy/modules/admin/su.if 2007-05-07 14:51:05.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/admin/su.if 2007-05-21 10:46:53.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/admin/su.if 2007-05-30 13:50:04.000000000 -0400 @@ -41,12 +41,11 @@ allow $2 $1_su_t:process signal; @@ -731,11 +731,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s logging_send_syslog_msg($1_su_t) miscfiles_read_localization($1_su_t) -@@ -174,11 +175,9 @@ +@@ -174,11 +175,10 @@ allow $2 $1_su_t:process signal; - allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; ++ allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; dontaudit $1_su_t self:capability sys_tty_config; allow $1_su_t self:process { setexec setsched setrlimit }; allow $1_su_t self:fifo_file rw_fifo_file_perms; @@ -743,7 +744,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s allow $1_su_t self:key { search write }; # Transition from the user domain to this domain. -@@ -204,9 +203,11 @@ +@@ -204,9 +204,11 @@ selinux_compute_access_vector($1_su_t) auth_domtrans_user_chk_passwd($1,$1_su_t) @@ -756,7 +757,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s corecmd_search_bin($1_su_t) -@@ -227,6 +228,7 @@ +@@ -227,6 +229,7 @@ libs_use_shared_libs($1_su_t) logging_send_syslog_msg($1_su_t) @@ -764,7 +765,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s miscfiles_read_localization($1_su_t) -@@ -310,6 +312,8 @@ +@@ -310,6 +313,8 @@ xserver_domtrans_user_xauth($1, $1_su_t) ') @@ -1843,7 +1844,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-2.6.4/policy/modules/kernel/filesystem.te --- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/kernel/filesystem.te 2007-05-21 10:46:53.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/kernel/filesystem.te 2007-05-29 23:12:59.000000000 -0400 @@ -54,17 +54,29 @@ type capifs_t; @@ -1886,10 +1887,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy type nfsd_fs_t; fs_type(nfsd_fs_t) genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0) -@@ -105,6 +122,11 @@ +@@ -105,6 +122,16 @@ genfscon rpc_pipefs / gen_context(system_u:object_r:rpc_pipefs_t,s0) files_mountpoint(rpc_pipefs_t) ++type spufs_t; ++fs_type(spufs_t) ++genfscon spufs / gen_context(system_u:object_r:spufs_t,s0) ++files_mountpoint(spufs_t) ++ +type vxfs_t; +fs_noxattr_type(vxfs_t) +files_mountpoint(vxfs_t) @@ -2429,7 +2435,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.6.4/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/apache.te 2007-05-23 14:17:52.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/apache.te 2007-05-30 07:20:12.000000000 -0400 @@ -47,6 +47,13 @@ ## Allow http daemon to tcp connect ##

@@ -2472,6 +2478,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac attribute httpdcontent; # domains that can exec all users scripts +@@ -215,7 +243,7 @@ + # Apache server local policy + # + +-allow httpd_t self:capability { chown dac_override kill setgid setuid sys_tty_config }; ++allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config }; + dontaudit httpd_t self:capability { net_admin sys_tty_config }; + allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow httpd_t self:fd use; @@ -257,6 +285,7 @@ allow httpd_t httpd_modules_t:dir list_dir_perms; mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t) @@ -2990,7 +3005,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron # fcron wants an instant update of a crontab change for the administrator diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.6.4/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2007-05-07 14:50:57.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/cron.te 2007-05-21 10:46:53.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/cron.te 2007-05-30 13:14:37.000000000 -0400 @@ -42,6 +42,9 @@ type cron_log_t; logging_log_file(cron_log_t) @@ -6385,7 +6400,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.6.4/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/authlogin.te 2007-05-21 10:46:53.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/authlogin.te 2007-05-29 14:46:48.000000000 -0400 @@ -9,6 +9,13 @@ attribute can_read_shadow_passwords; attribute can_write_shadow_passwords; @@ -6400,7 +6415,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo type chkpwd_exec_t; corecmd_executable_file(chkpwd_exec_t) -@@ -244,7 +251,6 @@ +@@ -244,7 +249,6 @@ optional_policy(` xserver_read_xdm_pid(pam_console_t) @@ -6408,7 +6423,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ######################################## -@@ -252,6 +258,8 @@ +@@ -252,15 +256,14 @@ # System check password local policy # @@ -6417,7 +6432,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo allow system_chkpwd_t shadow_t:file { getattr read }; corecmd_search_bin(system_chkpwd_t) -@@ -305,3 +313,30 @@ + + domain_dontaudit_use_interactive_fds(system_chkpwd_t) + +-term_dontaudit_use_unallocated_ttys(system_chkpwd_t) +-term_dontaudit_use_generic_ptys(system_chkpwd_t) +- + userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t) + userdom_dontaudit_use_unpriv_users_ptys(system_chkpwd_t) + userdom_dontaudit_use_sysadm_terms(system_chkpwd_t) +@@ -305,3 +308,30 @@ xserver_use_xdm_fds(utempter_t) xserver_rw_xdm_pipes(utempter_t) ') @@ -6450,7 +6474,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/clock.te serefpolicy-2.6.4/policy/modules/system/clock.te --- nsaserefpolicy/policy/modules/system/clock.te 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/clock.te 2007-05-21 10:46:53.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/clock.te 2007-05-29 14:47:46.000000000 -0400 @@ -26,8 +26,6 @@ allow hwclock_t self:process signal_perms; allow hwclock_t self:fifo_file { getattr read write }; @@ -6460,7 +6484,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/clock. # Allow hwclock to store & retrieve correction factors. allow hwclock_t adjtime_t:file { rw_file_perms setattr }; -@@ -61,6 +59,7 @@ +@@ -61,12 +59,11 @@ libs_use_shared_libs(hwclock_t) logging_send_syslog_msg(hwclock_t) @@ -6468,6 +6492,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/clock. miscfiles_read_localization(hwclock_t) + ifdef(`targeted_policy',` +- term_dontaudit_use_unallocated_ttys(hwclock_t) +- term_dontaudit_use_generic_ptys(hwclock_t) + files_dontaudit_read_root_files(hwclock_t) + ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-2.6.4/policy/modules/system/fstools.fc --- nsaserefpolicy/policy/modules/system/fstools.fc 2007-05-07 14:51:02.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/system/fstools.fc 2007-05-21 10:46:53.000000000 -0400 @@ -6741,7 +6771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.6.4/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/init.te 2007-05-21 10:46:53.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/init.te 2007-05-29 14:45:49.000000000 -0400 @@ -10,13 +10,20 @@ # Declarations # @@ -6805,7 +6835,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ifdef(`targeted_policy',` domain_subj_id_change_exemption(initrc_t) unconfined_domain(initrc_t) -@@ -520,11 +532,21 @@ +@@ -520,11 +532,22 @@ tunable_policy(`allow_daemons_use_tty',` term_use_unallocated_ttys(daemon) term_use_generic_ptys(daemon) @@ -6814,9 +6844,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t + unconfined_rw_pipes(daemon) + ', ` + # system-config-services causes avc messages that should be dontaudited ++ term_dontaudit_use_unallocated_ttys(daemon) ++ term_dontaudit_use_generic_ptys(daemon) + unconfined_dontaudit_rw_pipes(daemon) -+ -+ ') ++ ') + optional_policy(` mono_domtrans(initrc_t) @@ -6829,7 +6860,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ',` # cjp: require doesnt work in the else of optionals :\ # this also would result in a type transition -@@ -735,6 +757,9 @@ +@@ -735,6 +758,9 @@ # why is this needed: rpm_manage_db(initrc_t) @@ -6871,8 +6902,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-2.6.4/policy/modules/system/ipsec.te --- nsaserefpolicy/policy/modules/system/ipsec.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/ipsec.te 2007-05-21 10:46:53.000000000 -0400 -@@ -289,6 +289,7 @@ ++++ serefpolicy-2.6.4/policy/modules/system/ipsec.te 2007-05-29 14:50:06.000000000 -0400 +@@ -289,6 +287,7 @@ allow racoon_t self:netlink_selinux_socket { bind create read }; allow racoon_t self:udp_socket create_socket_perms; allow racoon_t self:key_socket { create read setopt write }; @@ -6932,7 +6963,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-2.6.4/policy/modules/system/libraries.te --- nsaserefpolicy/policy/modules/system/libraries.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/libraries.te 2007-05-21 10:46:53.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/libraries.te 2007-05-29 14:50:26.000000000 -0400 @@ -62,7 +62,8 @@ manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t) @@ -6943,10 +6974,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar manage_lnk_files_pattern(ldconfig_t,lib_t,lib_t) -@@ -101,6 +102,7 @@ +@@ -99,8 +100,7 @@ + ifdef(`targeted_policy',` + allow ldconfig_t lib_t:file read_file_perms; files_read_generic_tmp_symlinks(ldconfig_t) - term_dontaudit_use_generic_ptys(ldconfig_t) - term_dontaudit_use_unallocated_ttys(ldconfig_t) +- term_dontaudit_use_generic_ptys(ldconfig_t) +- term_dontaudit_use_unallocated_ttys(ldconfig_t) + files_read_generic_tmp_files(ldconfig_t) ') @@ -7191,7 +7224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.6.4/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/logging.te 2007-05-21 10:46:53.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/logging.te 2007-05-29 14:51:01.000000000 -0400 @@ -7,10 +7,15 @@ # @@ -7259,7 +7292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin logging_send_syslog_msg(auditd_t) libs_use_ld_so(auditd_t) -@@ -267,6 +276,9 @@ +@@ -267,6 +269,9 @@ # create/append log files. manage_files_pattern(syslogd_t,var_log_t,var_log_t) @@ -7269,7 +7302,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin # Allow access for syslog-ng allow syslogd_t var_log_t:dir { create setattr }; -@@ -331,6 +343,7 @@ +@@ -331,6 +336,7 @@ domain_use_interactive_fds(syslogd_t) files_read_etc_files(syslogd_t) @@ -7290,7 +7323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc /etc/lvm/lock(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-2.6.4/policy/modules/system/lvm.te --- nsaserefpolicy/policy/modules/system/lvm.te 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/lvm.te 2007-05-23 13:28:28.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/lvm.te 2007-05-29 14:51:07.000000000 -0400 @@ -16,6 +16,7 @@ type lvm_t; type lvm_exec_t; @@ -7299,7 +7332,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te # needs privowner because it assigns the identity system_u to device nodes # but runs as the identity of the sysadmin domain_obj_id_change_exemption(lvm_t) -@@ -155,7 +156,9 @@ +@@ -155,7 +154,9 @@ # DAC overrides and mknod for modifying /dev entries (vgmknodes) # rawio needed for dmraid @@ -7310,7 +7343,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te dontaudit lvm_t self:capability sys_tty_config; allow lvm_t self:process { sigchld sigkill sigstop signull signal }; # LVM will complain a lot if it cannot set its priority. -@@ -233,6 +236,8 @@ +@@ -233,6 +234,8 @@ dev_dontaudit_getattr_generic_blk_files(lvm_t) dev_dontaudit_getattr_generic_pipes(lvm_t) dev_create_generic_dirs(lvm_t) @@ -7319,7 +7352,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te fs_getattr_xattr_fs(lvm_t) fs_search_auto_mountpoints(lvm_t) -@@ -251,6 +256,7 @@ +@@ -251,6 +254,7 @@ storage_dev_filetrans_fixed_disk(lvm_t) # Access raw devices and old /dev/lvm (c 109,0). Is this needed? storage_manage_fixed_disk(lvm_t) @@ -7327,7 +7360,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te term_getattr_all_user_ttys(lvm_t) term_list_ptys(lvm_t) -@@ -305,5 +311,14 @@ +@@ -305,5 +309,14 @@ ') optional_policy(` @@ -7568,7 +7601,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/netlab libs_use_ld_so(netlabel_mgmt_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-2.6.4/policy/modules/system/raid.te --- nsaserefpolicy/policy/modules/system/raid.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/raid.te 2007-05-21 13:29:06.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/raid.te 2007-05-29 14:51:30.000000000 -0400 @@ -19,7 +19,7 @@ # Local policy # @@ -7636,7 +7669,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.6.4/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/selinuxutil.te 2007-05-23 10:41:40.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/selinuxutil.te 2007-05-29 14:51:48.000000000 -0400 @@ -1,10 +1,8 @@ policy_module(selinuxutil,1.5.0) @@ -7778,7 +7811,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ######################################## # # Restorecond local policy -@@ -490,7 +497,7 @@ +@@ -490,7 +492,7 @@ allow run_init_t self:process setexec; allow run_init_t self:capability setuid; allow run_init_t self:fifo_file rw_file_perms; @@ -7787,7 +7820,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu # often the administrator runs such programs from a directory that is owned # by a different user or has restrictive SE permissions, do not want to audit -@@ -504,6 +511,7 @@ +@@ -504,6 +506,7 @@ term_dontaudit_list_ptys(run_init_t) auth_domtrans_chk_passwd(run_init_t) @@ -7795,7 +7828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu auth_dontaudit_read_shadow(run_init_t) corecmd_exec_bin(run_init_t) -@@ -560,7 +568,7 @@ +@@ -560,7 +563,7 @@ allow semanage_t self:capability { dac_override audit_write }; allow semanage_t self:unix_stream_socket create_stream_socket_perms; allow semanage_t self:unix_dgram_socket create_socket_perms; @@ -7804,7 +7837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu allow semanage_t policy_config_t:file { read write }; -@@ -571,7 +579,10 @@ +@@ -571,7 +574,10 @@ kernel_read_system_state(semanage_t) kernel_read_kernel_sysctls(semanage_t) @@ -7815,7 +7848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu dev_read_urand(semanage_t) -@@ -595,6 +606,8 @@ +@@ -595,6 +601,8 @@ # Running genhomedircon requires this for finding all users auth_use_nsswitch(semanage_t) @@ -7824,7 +7857,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu libs_use_ld_so(semanage_t) libs_use_shared_libs(semanage_t) -@@ -621,6 +634,15 @@ +@@ -621,6 +629,15 @@ userdom_search_sysadm_home_dirs(semanage_t) @@ -7840,7 +7873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu # cjp: need a more general way to handle this: ifdef(`enable_mls',` # read secadm tmp files -@@ -700,6 +722,8 @@ +@@ -700,6 +717,8 @@ ifdef(`hide_broken_symptoms',` # cjp: cover up stray file descriptors. optional_policy(` @@ -7852,8 +7885,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-2.6.4/policy/modules/system/sysnetwork.te --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/sysnetwork.te 2007-05-21 10:46:53.000000000 -0400 -@@ -164,6 +164,10 @@ ++++ serefpolicy-2.6.4/policy/modules/system/sysnetwork.te 2007-05-29 14:53:09.000000000 -0400 +@@ -164,6 +160,10 @@ dbus_connect_system_bus(dhcpc_t) dbus_send_system_bus(dhcpc_t) @@ -7864,7 +7897,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet optional_policy(` networkmanager_dbus_chat(dhcpc_t) ') -@@ -221,6 +225,7 @@ +@@ -221,6 +221,7 @@ optional_policy(` seutil_sigchld_newrole(dhcpc_t) seutil_dontaudit_search_config(dhcpc_t) @@ -7874,7 +7907,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-2.6.4/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/udev.te 2007-05-21 10:46:53.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/udev.te 2007-05-29 14:53:15.000000000 -0400 @@ -83,12 +83,19 @@ kernel_dgram_send(udev_t) kernel_signal(udev_t) @@ -7895,7 +7928,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t domain_read_all_domains_state(udev_t) domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these -@@ -194,5 +201,24 @@ +@@ -194,5 +196,24 @@ ') optional_policy(` @@ -7922,11 +7955,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-2.6.4/policy/modules/system/unconfined.fc --- nsaserefpolicy/policy/modules/system/unconfined.fc 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/unconfined.fc 2007-05-21 10:46:53.000000000 -0400 -@@ -10,4 +10,5 @@ ++++ serefpolicy-2.6.4/policy/modules/system/unconfined.fc 2007-05-30 07:22:13.000000000 -0400 +@@ -2,12 +2,12 @@ + # e.g.: + # /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) + # For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t +-/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0) +- +-ifdef(`targeted_policy',` +-/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) + /usr/bin/qemu.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) /usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) - /usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +-/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) ++/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0) /usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) ++/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) ++/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) ++ifdef(`targeted_policy',` +/usr/bin/vmware.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.6.4/policy/modules/system/unconfined.if @@ -8877,7 +8922,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.6.4/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/xen.te 2007-05-21 10:46:53.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/xen.te 2007-05-29 14:53:28.000000000 -0400 @@ -25,6 +25,10 @@ domain_type(xend_t) init_daemon_domain(xend_t, xend_exec_t) @@ -8933,7 +8978,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te storage_raw_read_removable_device(xend_t) term_getattr_all_user_ptys(xend_t) -@@ -195,6 +210,10 @@ +@@ -195,21 +210,16 @@ xen_stream_connect_xenstore(xend_t) @@ -8944,7 +8989,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te netutils_domtrans(xend_t) optional_policy(` -@@ -284,6 +303,12 @@ + consoletype_exec(xend_t) + ') + +-ifdef(`targeted_policy',` +- term_dontaudit_use_unallocated_ttys(xend_t) +- term_dontaudit_use_generic_ptys(xend_t) +- +- optional_policy(` +- unconfined_rw_pipes(xend_t) +- ') +-') +- + ######################################## + # + # Xen console local policy +@@ -284,6 +294,12 @@ files_read_usr_files(xenstored_t) @@ -8957,7 +9017,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te term_use_generic_ptys(xenstored_t) term_use_console(xenconsoled_t) -@@ -317,6 +342,11 @@ +@@ -317,6 +333,11 @@ allow xm_t xen_image_t:dir rw_dir_perms; allow xm_t xen_image_t:file read_file_perms; @@ -8969,7 +9029,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te kernel_read_system_state(xm_t) kernel_read_kernel_sysctls(xm_t) -@@ -352,3 +382,11 @@ +@@ -352,3 +373,11 @@ xen_append_log(xm_t) xen_stream_connect(xm_t) xen_stream_connect_xenstore(xm_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 9c8cfdc..8977295 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 2.6.4 -Release: 10%{?dist} +Release: 11%{?dist} License: GPL Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -359,7 +359,10 @@ semodule -b base.pp -r bootloader -r clock -r dpkg -r fstools -r hotplug -r init %endif %changelog -* Tue May 22 2007 Dan Walsh 2.6.4-10 +* Wed May 30 2007 Dan Walsh 2.6.4-11 +- Add spufs + +* Tue May 29 2007 Dan Walsh 2.6.4-10 - Fixes for avahi, procmail, postfix * Tue May 22 2007 Dan Walsh 2.6.4-9