From f012074e0f43ca888963c1bfb696ecbdec470809 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Aug 18 2007 11:54:11 +0000 Subject: - Allow xserver access to urand --- diff --git a/policy-20070703.patch b/policy-20070703.patch index 62ce76e..2eb6062 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -7027,8 +7027,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radi diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.te serefpolicy-3.0.5/policy/modules/services/rhgb.te --- nsaserefpolicy/policy/modules/services/rhgb.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.5/policy/modules/services/rhgb.te 2007-08-07 09:39:49.000000000 -0400 -@@ -109,6 +109,7 @@ ++++ serefpolicy-3.0.5/policy/modules/services/rhgb.te 2007-08-18 06:24:55.000000000 -0400 +@@ -59,6 +59,7 @@ + corenet_sendrecv_all_client_packets(rhgb_t) + + dev_read_sysfs(rhgb_t) ++dev_read_urand(rhgb_t) + + domain_use_interactive_fds(rhgb_t) + +@@ -109,6 +110,7 @@ userdom_dontaudit_use_unpriv_user_fds(rhgb_t) userdom_dontaudit_search_sysadm_home_dirs(rhgb_t) @@ -8106,8 +8114,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.5/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2007-07-03 07:06:27.000000000 -0400 -+++ serefpolicy-3.0.5/policy/modules/services/xserver.if 2007-08-07 09:39:49.000000000 -0400 -@@ -141,7 +141,7 @@ ++++ serefpolicy-3.0.5/policy/modules/services/xserver.if 2007-08-18 06:25:18.000000000 -0400 +@@ -126,6 +126,8 @@ + # read events - the synaptics touchpad driver reads raw events + dev_rw_input_dev($1_xserver_t) + dev_rwx_zero($1_xserver_t) ++ dev_read_urand($1_xserver_t) ++ + + domain_mmap_low($1_xserver_t) + +@@ -141,7 +143,7 @@ fs_getattr_xattr_fs($1_xserver_t) fs_search_nfs($1_xserver_t) fs_search_auto_mountpoints($1_xserver_t) @@ -8116,7 +8133,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser init_getpgid($1_xserver_t) -@@ -353,12 +353,6 @@ +@@ -353,12 +355,6 @@ # allow ps to show xauth ps_process_pattern($2,$1_xauth_t) @@ -8129,7 +8146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser domain_use_interactive_fds($1_xauth_t) files_read_etc_files($1_xauth_t) -@@ -387,6 +381,14 @@ +@@ -387,6 +383,14 @@ ') optional_policy(` @@ -8144,7 +8161,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser nis_use_ypbind($1_xauth_t) ') -@@ -537,16 +539,14 @@ +@@ -537,16 +541,14 @@ gen_require(` type xdm_t, xdm_tmp_t; @@ -8163,7 +8180,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; -@@ -555,25 +555,46 @@ +@@ -555,25 +557,46 @@ allow $2 xdm_tmp_t:sock_file { read write }; dontaudit $2 xdm_t:tcp_socket { read write }; @@ -8219,7 +8236,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ') -@@ -626,6 +647,24 @@ +@@ -626,6 +649,24 @@ ######################################## ## @@ -8244,7 +8261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Transition to a user Xauthority domain. ## ## -@@ -659,6 +698,73 @@ +@@ -659,6 +700,73 @@ ######################################## ## @@ -8318,7 +8335,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Transition to a user Xauthority domain. ## ## -@@ -1136,7 +1242,7 @@ +@@ -1136,7 +1244,7 @@ type xdm_xserver_tmp_t; ') @@ -8327,7 +8344,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1325,3 +1431,62 @@ +@@ -1325,3 +1433,62 @@ files_search_tmp($1) stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) ') @@ -10802,7 +10819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.0.5/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-08-02 08:17:28.000000000 -0400 -+++ serefpolicy-3.0.5/policy/modules/system/selinuxutil.te 2007-08-07 09:39:49.000000000 -0400 ++++ serefpolicy-3.0.5/policy/modules/system/selinuxutil.te 2007-08-15 06:15:41.000000000 -0400 @@ -76,7 +76,6 @@ type restorecond_exec_t; init_daemon_domain(restorecond_t,restorecond_exec_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index f3e857b..2ece3f0 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.0.5 -Release: 7%{?dist} +Release: 8%{?dist} License: GPL Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -288,7 +288,7 @@ SELinux Reference policy targeted base module. %saveFileContext targeted %post targeted -semodule -r moilscanner 2>/dev/null +semodule -s targeted -r moilscanner 2>/dev/null %loadpolicy targeted %relabel targeted exit 0 @@ -360,6 +360,9 @@ exit 0 %endif %changelog +* Sat Aug 18 2007 Dan Walsh 3.0.5-8 +- Allow xserver access to urand + * Tue Aug 14 2007 Dan Walsh 3.0.5-7 - allow dovecot to search mountpoints