From d82b433ef8684f52abb486c038901949380882b9 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Dec 12 2007 18:17:48 +0000 Subject: - Fix labeling on * /usr/lib64/cups/backend/hp.* - Upgrade to Fedora 8 cups policy --- diff --git a/policy-20070501.patch b/policy-20070501.patch index 058ae0a..364daef 100644 --- a/policy-20070501.patch +++ b/policy-20070501.patch @@ -5205,7 +5205,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups +/usr/local/Printer/[^/]*/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.6.4/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/cups.te 2007-12-12 10:42:46.000000000 -0500 ++++ serefpolicy-2.6.4/policy/modules/services/cups.te 2007-12-12 11:22:12.000000000 -0500 @@ -1,5 +1,5 @@ -policy_module(cups,1.6.0) @@ -5310,18 +5310,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups mls_fd_use_all_levels(cupsd_t) mls_file_downgrade(cupsd_t) --mls_file_write_down(cupsd_t) --mls_file_read_up(cupsd_t) + mls_file_write_down(cupsd_t) + mls_file_read_up(cupsd_t) -mls_rangetrans_target(cupsd_t) -+mls_file_write_all_levels(cupsd_t) -+mls_file_read_all_levels(cupsd_t) mls_socket_write_all_levels(cupsd_t) term_use_unallocated_ttys(cupsd_t) term_search_ptys(cupsd_t) auth_domtrans_chk_passwd(cupsd_t) -+auth_domtrans_upd_passwd_chk(cupsd_t) ++auth_domtrans_upd_passwd(cupsd_t) auth_dontaudit_read_pam_pid(cupsd_t) # Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp @@ -5356,7 +5354,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups logging_send_syslog_msg(cupsd_t) miscfiles_read_localization(cupsd_t) -@@ -223,25 +224,27 @@ +@@ -223,22 +224,23 @@ sysnet_read_config(cupsd_t) @@ -5385,11 +5383,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups init_stream_connect_script(cupsd_t) unconfined_rw_pipes(cupsd_t) -+ unconfined_rw_stream_sockets(cupsd_t) - - optional_policy(` - init_dbus_chat_script(cupsd_t) -@@ -284,16 +287,16 @@ +@@ -284,16 +286,16 @@ ') optional_policy(` @@ -5410,7 +5404,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups seutil_sigchld_newrole(cupsd_t) ') -@@ -341,7 +344,8 @@ +@@ -341,7 +343,8 @@ kernel_read_system_state(cupsd_config_t) kernel_read_kernel_sysctls(cupsd_config_t) @@ -5420,7 +5414,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups corenet_tcp_sendrecv_all_if(cupsd_config_t) corenet_tcp_sendrecv_all_nodes(cupsd_config_t) corenet_tcp_sendrecv_all_ports(cupsd_config_t) -@@ -351,6 +355,7 @@ +@@ -351,6 +354,7 @@ dev_read_sysfs(cupsd_config_t) dev_read_urand(cupsd_config_t) dev_read_rand(cupsd_config_t) @@ -5428,7 +5422,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups fs_getattr_all_fs(cupsd_config_t) fs_search_auto_mountpoints(cupsd_config_t) -@@ -396,12 +401,11 @@ +@@ -396,12 +400,11 @@ ') ') @@ -5444,7 +5438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups unconfined_rw_pipes(cupsd_config_t) ') -@@ -422,6 +426,7 @@ +@@ -422,6 +425,7 @@ optional_policy(` hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) @@ -5452,7 +5446,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ') optional_policy(` -@@ -492,7 +497,8 @@ +@@ -492,7 +496,8 @@ kernel_read_system_state(cupsd_lpd_t) kernel_read_network_state(cupsd_lpd_t) @@ -5462,7 +5456,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups corenet_tcp_sendrecv_all_if(cupsd_lpd_t) corenet_udp_sendrecv_all_if(cupsd_lpd_t) corenet_tcp_sendrecv_all_nodes(cupsd_lpd_t) -@@ -510,6 +516,8 @@ +@@ -510,6 +515,8 @@ files_read_etc_files(cupsd_lpd_t) @@ -5471,7 +5465,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups libs_use_ld_so(cupsd_lpd_t) libs_use_shared_libs(cupsd_lpd_t) -@@ -517,22 +525,12 @@ +@@ -517,22 +524,12 @@ miscfiles_read_localization(cupsd_lpd_t) @@ -5494,7 +5488,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ######################################## # # HPLIP local policy -@@ -550,14 +548,12 @@ +@@ -550,14 +547,12 @@ allow hplip_t self:udp_socket create_socket_perms; allow hplip_t self:rawip_socket create_socket_perms; @@ -5513,7 +5507,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t) files_pid_filetrans(hplip_t,hplip_var_run_t,file) -@@ -565,7 +561,8 @@ +@@ -565,7 +560,8 @@ kernel_read_system_state(hplip_t) kernel_read_kernel_sysctls(hplip_t) @@ -5523,7 +5517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups corenet_tcp_sendrecv_all_if(hplip_t) corenet_udp_sendrecv_all_if(hplip_t) corenet_raw_sendrecv_all_if(hplip_t) -@@ -587,7 +584,7 @@ +@@ -587,7 +583,7 @@ dev_read_urand(hplip_t) dev_read_rand(hplip_t) dev_rw_generic_usb_dev(hplip_t) @@ -5532,7 +5526,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups fs_getattr_all_fs(hplip_t) fs_search_auto_mountpoints(hplip_t) -@@ -614,13 +611,7 @@ +@@ -614,13 +610,7 @@ userdom_dontaudit_search_sysadm_home_dirs(hplip_t) userdom_dontaudit_search_all_users_home_content(hplip_t) @@ -5547,7 +5541,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups optional_policy(` seutil_sigchld_newrole(hplip_t) -@@ -662,7 +653,8 @@ +@@ -662,7 +652,8 @@ kernel_list_proc(ptal_t) kernel_read_proc_symlinks(ptal_t) @@ -5557,7 +5551,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups corenet_tcp_sendrecv_all_if(ptal_t) corenet_tcp_sendrecv_all_nodes(ptal_t) corenet_tcp_sendrecv_all_ports(ptal_t) -@@ -693,12 +685,6 @@ +@@ -693,12 +684,6 @@ userdom_dontaudit_use_unpriv_user_fds(ptal_t) userdom_dontaudit_search_all_users_home_content(ptal_t) @@ -5570,7 +5564,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups optional_policy(` seutil_sigchld_newrole(ptal_t) ') -@@ -706,3 +692,54 @@ +@@ -706,3 +691,50 @@ optional_policy(` udev_read_db(ptal_t) ') @@ -5583,10 +5577,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups +userdom_read_unpriv_users_tmp_files(cupsd_t) +files_dontaudit_getattr_all_tmp_sockets(cupsd_t) + -+optional_policy(` -+ unconfined_read_tmp_files(cupsd_t) -+') -+ +ifdef(`targeted_policy',` + term_dontaudit_use_unallocated_ttys(cupsd_t) + term_dontaudit_use_generic_ptys(cupsd_t) @@ -6878,7 +6868,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim --- nsaserefpolicy/policy/modules/services/exim.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-2.6.4/policy/modules/services/exim.fc 2007-10-05 09:28:27.000000000 -0400 @@ -0,0 +1,16 @@ -+# $Id: policy-20070501.patch,v 1.81 2007/12/12 15:44:27 dwalsh Exp $ ++# $Id: policy-20070501.patch,v 1.82 2007/12/12 18:17:48 dwalsh Exp $ +# Draft SELinux refpolicy module for the Exim MTA +# +# Devin Carraway @@ -7059,7 +7049,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim --- nsaserefpolicy/policy/modules/services/exim.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-2.6.4/policy/modules/services/exim.te 2007-10-30 16:46:45.000000000 -0400 @@ -0,0 +1,231 @@ -+# $Id: policy-20070501.patch,v 1.81 2007/12/12 15:44:27 dwalsh Exp $ ++# $Id: policy-20070501.patch,v 1.82 2007/12/12 18:17:48 dwalsh Exp $ +# Draft SELinux refpolicy module for the Exim MTA +# +# Devin Carraway