From d08b3103c8ac448a7f8b8b5588e286776497b30e Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mar 15 2010 21:18:24 +0000 Subject: - Allow shutdown dac_override --- diff --git a/modules-minimum.conf b/modules-minimum.conf index 083d089..a90c33b 100644 --- a/modules-minimum.conf +++ b/modules-minimum.conf @@ -1984,6 +1984,13 @@ munin = module # bitlbee = module +# Layer: system +# Module: sosreport +# +# sosreport debuggin information generator +# +sosreport = module + # Layer: services # Module: soundserver # diff --git a/modules-mls.conf b/modules-mls.conf index 46e236b..236334f 100644 --- a/modules-mls.conf +++ b/modules-mls.conf @@ -1823,6 +1823,13 @@ munin = module # bitlbee = module +# Layer: system +# Module: sosreport +# +# sosreport debuggin information generator +# +sosreport = module + # Layer: services # Module: soundserver # diff --git a/modules-targeted.conf b/modules-targeted.conf index 083d089..a90c33b 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -1984,6 +1984,13 @@ munin = module # bitlbee = module +# Layer: system +# Module: sosreport +# +# sosreport debuggin information generator +# +sosreport = module + # Layer: services # Module: soundserver # diff --git a/policy-F13.patch b/policy-F13.patch index fb2ce4c..f0e21ca 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -15731,7 +15731,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi allow $1 devicekit_t:process { ptrace signal_perms getattr }; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.14/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.14/policy/modules/services/devicekit.te 2010-03-12 09:30:00.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/devicekit.te 2010-03-15 17:07:58.000000000 -0400 @@ -42,6 +42,8 @@ files_read_etc_files(devicekit_t) @@ -15834,15 +15834,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi fstools_domtrans(devicekit_disk_t) ') -@@ -110,6 +156,7 @@ +@@ -110,28 +156,27 @@ ') optional_policy(` ++ mount_domtrans(devicekit_disk_t) ++') ++ ++optional_policy(` + policykit_dbus_chat(devicekit_disk_t) policykit_domtrans_auth(devicekit_disk_t) policykit_read_lib(devicekit_disk_t) policykit_read_reload(devicekit_disk_t) -@@ -120,18 +167,12 @@ + ') + + optional_policy(` +- mount_domtrans(devicekit_disk_t) ++ raid_domtrans_mdadm(devicekit_disk_t) ') optional_policy(` @@ -15864,7 +15872,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi ') ######################################## -@@ -139,9 +180,11 @@ +@@ -139,9 +184,11 @@ # DeviceKit-Power local policy # @@ -15877,7 +15885,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) -@@ -151,6 +194,8 @@ +@@ -151,6 +198,8 @@ kernel_read_system_state(devicekit_power_t) kernel_rw_hotplug_sysctls(devicekit_power_t) kernel_rw_kernel_sysctl(devicekit_power_t) @@ -15886,7 +15894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi corecmd_exec_bin(devicekit_power_t) corecmd_exec_shell(devicekit_power_t) -@@ -159,7 +204,9 @@ +@@ -159,7 +208,9 @@ domain_read_all_domains_state(devicekit_power_t) @@ -15896,7 +15904,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi dev_rw_netcontrol(devicekit_power_t) dev_rw_sysfs(devicekit_power_t) -@@ -167,12 +214,17 @@ +@@ -167,12 +218,17 @@ files_read_etc_files(devicekit_power_t) files_read_usr_files(devicekit_power_t) @@ -15914,7 +15922,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi userdom_read_all_users_state(devicekit_power_t) optional_policy(` -@@ -180,6 +232,10 @@ +@@ -180,6 +236,10 @@ ') optional_policy(` @@ -15925,7 +15933,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi dbus_system_bus_client(devicekit_power_t) allow devicekit_power_t devicekit_t:dbus send_msg; -@@ -203,17 +259,23 @@ +@@ -203,17 +263,23 @@ optional_policy(` hal_domtrans_mac(devicekit_power_t) @@ -27794,7 +27802,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.14/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.14/policy/modules/services/xserver.te 2010-03-12 09:30:01.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/xserver.te 2010-03-15 17:15:49.000000000 -0400 @@ -36,6 +36,13 @@ ## @@ -28236,7 +28244,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -447,14 +576,18 @@ +@@ -447,14 +576,19 @@ storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -28247,6 +28255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser term_use_unallocated_ttys(xdm_t) term_setattr_unallocated_ttys(xdm_t) +term_relabel_all_ttys(xdm_t) ++term_relabel_unallocated_ttys(xdm_t) auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) @@ -28255,7 +28264,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -465,10 +598,12 @@ +@@ -465,10 +599,12 @@ logging_read_generic_logs(xdm_t) @@ -28270,7 +28279,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -477,6 +612,11 @@ +@@ -477,6 +613,11 @@ # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -28282,7 +28291,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_rw_session(xdm_t, xdm_tmpfs_t) xserver_unconfined(xdm_t) -@@ -509,10 +649,12 @@ +@@ -509,10 +650,12 @@ optional_policy(` alsa_domtrans(xdm_t) @@ -28295,7 +28304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -520,12 +662,49 @@ +@@ -520,12 +663,49 @@ ') optional_policy(` @@ -28345,7 +28354,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser hostname_exec(xdm_t) ') -@@ -543,9 +722,43 @@ +@@ -543,9 +723,43 @@ ') optional_policy(` @@ -28389,7 +28398,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` seutil_sigchld_newrole(xdm_t) ') -@@ -555,8 +768,9 @@ +@@ -555,8 +769,9 @@ ') optional_policy(` @@ -28401,7 +28410,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -565,7 +779,6 @@ +@@ -565,7 +780,6 @@ ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; ') @@ -28409,7 +28418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` userhelper_dontaudit_search_config(xdm_t) -@@ -576,6 +789,10 @@ +@@ -576,6 +790,10 @@ ') optional_policy(` @@ -28420,7 +28429,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xfs_stream_connect(xdm_t) ') -@@ -600,10 +817,9 @@ +@@ -600,10 +818,9 @@ # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -28432,7 +28441,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; allow xserver_t self:sock_file read_sock_file_perms; -@@ -615,6 +831,18 @@ +@@ -615,6 +832,18 @@ allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -28451,7 +28460,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -634,12 +862,19 @@ +@@ -634,12 +863,19 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -28473,7 +28482,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -673,7 +908,6 @@ +@@ -673,7 +909,6 @@ dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -28481,7 +28490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -683,9 +917,12 @@ +@@ -683,9 +918,12 @@ dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -28495,7 +28504,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) -@@ -700,8 +937,13 @@ +@@ -700,8 +938,13 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -28509,7 +28518,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -723,11 +965,14 @@ +@@ -723,11 +966,14 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -28524,7 +28533,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -779,12 +1024,24 @@ +@@ -779,12 +1025,24 @@ ') optional_policy(` @@ -28550,7 +28559,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser unconfined_domtrans(xserver_t) ') -@@ -811,7 +1068,7 @@ +@@ -811,7 +1069,7 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -28559,7 +28568,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -832,9 +1089,14 @@ +@@ -832,9 +1090,14 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -28574,7 +28583,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -849,11 +1111,14 @@ +@@ -849,11 +1112,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -28591,7 +28600,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -999,3 +1264,33 @@ +@@ -999,3 +1265,33 @@ allow xserver_unconfined_type xextension_type:x_extension *; allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; diff --git a/selinux-policy.spec b/selinux-policy.spec index b24ba52..f9409ff 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.14 -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -466,6 +466,9 @@ exit 0 %endif %changelog +* Sun Mar 14 2010 Dan Walsh 3.7.14-4 +- Allow shutdown dac_override + * Sat Mar 13 2010 Dan Walsh 3.7.14-3 - Add device_t as a file system - Fix sysfs association