From dac6d67c8c910d90f67a74a5ef58722e01474688 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jul 16 2007 15:54:21 +0000 Subject: - Fix moilscanner update problem --- diff --git a/policy-20070703.patch b/policy-20070703.patch index 795f734..8f93877 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -1297,7 +1297,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if ## This is a templated interface, and should only diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.0.2/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2007-07-03 07:05:43.000000000 -0400 -+++ serefpolicy-3.0.2/policy/modules/apps/java.if 2007-07-13 14:03:39.000000000 -0400 ++++ serefpolicy-3.0.2/policy/modules/apps/java.if 2007-07-16 11:47:57.000000000 -0400 @@ -32,7 +32,7 @@ ## ## @@ -1317,7 +1317,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if allow $1_javaplugin_t $2:fd use; # Unrestricted inheritance from the caller. allow $2 $1_javaplugin_t:process { noatsecure siginh rlimitinh }; -@@ -168,6 +167,50 @@ +@@ -168,6 +167,51 @@ optional_policy(` xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t) ') @@ -1354,6 +1354,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if +template(`java_per_role_template',` + gen_require(` + type java_exec_t; ++ attribute $1_usertype; + ') + + type $1_java_t; @@ -1368,7 +1369,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if ') ######################################## -@@ -221,3 +264,66 @@ +@@ -221,3 +265,66 @@ corecmd_search_bin($1) domtrans_pattern($1, java_exec_t, java_t) ') @@ -1449,8 +1450,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.0.2/policy/modules/apps/mono.if --- nsaserefpolicy/policy/modules/apps/mono.if 2007-05-29 14:10:48.000000000 -0400 -+++ serefpolicy-3.0.2/policy/modules/apps/mono.if 2007-07-13 09:58:46.000000000 -0400 -@@ -18,3 +18,95 @@ ++++ serefpolicy-3.0.2/policy/modules/apps/mono.if 2007-07-16 11:48:24.000000000 -0400 +@@ -18,3 +18,96 @@ corecmd_search_bin($1) domtrans_pattern($1, mono_exec_t, mono_t) ') @@ -1534,6 +1535,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if +template(`mono_per_role_template',` + gen_require(` + type mono_exec_t; ++ attribute $1_usertype; + ') + + type $1_mono_t; @@ -5579,16 +5581,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post /usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.0.2/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2007-07-03 07:06:27.000000000 -0400 -+++ serefpolicy-3.0.2/policy/modules/services/postfix.if 2007-07-13 08:07:53.000000000 -0400 -@@ -118,6 +118,8 @@ - allow postfix_$1_t self:udp_socket create_socket_perms; ++++ serefpolicy-3.0.2/policy/modules/services/postfix.if 2007-07-16 09:34:02.000000000 -0400 +@@ -41,6 +41,8 @@ + allow postfix_$1_t self:unix_stream_socket connectto; - domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t) + allow postfix_master_t postfix_$1_t:process signal; + #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244456 + allow postfix_$1_t postfix_master_t:file read; - corenet_all_recvfrom_unlabeled(postfix_$1_t) - corenet_all_recvfrom_netlabel(postfix_$1_t) + allow postfix_$1_t postfix_etc_t:dir list_dir_perms; + read_files_pattern(postfix_$1_t,postfix_etc_t,postfix_etc_t) @@ -132,10 +134,8 @@ corenet_tcp_connect_all_ports(postfix_$1_t) corenet_sendrecv_all_client_packets(postfix_$1_t) @@ -6013,8 +6015,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. fs_search_auto_mountpoints($1_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.2/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2007-07-03 07:06:27.000000000 -0400 -+++ serefpolicy-3.0.2/policy/modules/services/rpc.te 2007-07-13 08:07:53.000000000 -0400 -@@ -76,9 +76,11 @@ ++++ serefpolicy-3.0.2/policy/modules/services/rpc.te 2007-07-16 11:49:47.000000000 -0400 +@@ -59,6 +59,8 @@ + manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t) + files_pid_filetrans(rpcd_t,rpcd_var_run_t,file) + ++corecmd_exec_bin(rpcd_t) ++ + kernel_read_system_state(rpcd_t) + kernel_search_network_state(rpcd_t) + # for rpc.rquotad +@@ -76,9 +78,11 @@ miscfiles_read_certs(rpcd_t) seutil_dontaudit_search_config(rpcd_t) @@ -6026,7 +6037,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ') ######################################## -@@ -91,9 +93,13 @@ +@@ -91,9 +95,13 @@ allow nfsd_t exports_t:file { getattr read }; allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; @@ -6040,7 +6051,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. corenet_tcp_bind_all_rpc_ports(nfsd_t) corenet_udp_bind_all_rpc_ports(nfsd_t) -@@ -123,6 +129,7 @@ +@@ -123,6 +131,7 @@ tunable_policy(`nfs_export_all_rw',` fs_read_noxattr_fs_files(nfsd_t) auth_manage_all_files_except_shadow(nfsd_t) @@ -6048,7 +6059,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ') tunable_policy(`nfs_export_all_ro',` -@@ -143,6 +150,8 @@ +@@ -143,6 +152,8 @@ manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t) files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) @@ -6057,7 +6068,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. kernel_read_network_state(gssd_t) kernel_read_network_state_symlinks(gssd_t) kernel_search_network_sysctl(gssd_t) -@@ -158,6 +167,11 @@ +@@ -158,6 +169,11 @@ miscfiles_read_certs(gssd_t) @@ -9756,7 +9767,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.2/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2007-06-15 14:54:34.000000000 -0400 -+++ serefpolicy-3.0.2/policy/modules/system/unconfined.te 2007-07-13 08:07:54.000000000 -0400 ++++ serefpolicy-3.0.2/policy/modules/system/unconfined.te 2007-07-16 11:53:43.000000000 -0400 @@ -5,30 +5,36 @@ # # Declarations @@ -9882,7 +9893,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -157,18 +145,6 @@ +@@ -157,22 +145,12 @@ optional_policy(` postfix_run_map(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) @@ -9901,7 +9912,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -182,10 +158,6 @@ + rpm_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) ++ # Allow SELinux aware applications to request rpm_script execution ++ rpm_transition_script(unconfined_t) + ') + + optional_policy(` +@@ -182,10 +160,6 @@ ') optional_policy(` @@ -9912,7 +9929,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf sysnet_run_dhcpc(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) sysnet_dbus_chat_dhcpc(unconfined_t) ') -@@ -207,7 +179,7 @@ +@@ -207,7 +181,7 @@ ') optional_policy(` @@ -9921,7 +9938,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -229,6 +201,12 @@ +@@ -229,6 +203,12 @@ unconfined_dbus_chat(unconfined_execmem_t) optional_policy(`