diff --git a/policy-20070501.patch b/policy-20070501.patch index d0b0f32..4d450f2 100644 --- a/policy-20070501.patch +++ b/policy-20070501.patch @@ -2124,7 +2124,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-2.6.4/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-05-07 14:51:04.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/kernel/devices.fc 2007-10-18 17:12:33.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/kernel/devices.fc 2007-11-20 08:25:59.000000000 -0500 @@ -12,6 +12,7 @@ /dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0) @@ -2142,7 +2142,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0) /dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0) /dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0) -@@ -52,7 +55,7 @@ +@@ -28,6 +31,7 @@ + /dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0) + /dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) + /dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) ++/dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0) + /dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0) + /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) + /dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) +@@ -52,7 +56,7 @@ /dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/random -c gen_context(system_u:object_r:random_device_t,s0) /dev/raw1394.* -c gen_context(system_u:object_r:v4l_device_t,s0) @@ -2151,7 +2159,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/sequencer -c gen_context(system_u:object_r:sound_device_t,s0) /dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0) /dev/smpte.* -c gen_context(system_u:object_r:sound_device_t,s0) -@@ -63,7 +66,9 @@ +@@ -63,7 +67,9 @@ /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0) @@ -2161,7 +2169,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0) ifdef(`distro_suse', ` /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) -@@ -81,6 +86,8 @@ +@@ -81,6 +87,8 @@ /dev/bus/usb/.*/[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0) @@ -2170,7 +2178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/cpu/.* -c gen_context(system_u:object_r:cpu_device_t,s0) /dev/cpu/mtrr -c gen_context(system_u:object_r:mtrr_device_t,s0) -@@ -92,6 +99,7 @@ +@@ -92,6 +100,7 @@ /dev/input/event.* -c gen_context(system_u:object_r:event_device_t,s0) /dev/input/mice -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/input/js.* -c gen_context(system_u:object_r:mouse_device_t,s0) @@ -2178,7 +2186,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0) -@@ -107,6 +115,10 @@ +@@ -107,6 +116,10 @@ /dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0) /dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0) @@ -2191,7 +2199,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /lib/udev/devices -d gen_context(system_u:object_r:device_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-2.6.4/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/kernel/devices.if 2007-11-01 14:04:31.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/kernel/devices.if 2007-11-26 10:03:12.000000000 -0500 @@ -65,7 +65,7 @@ relabelfrom_dirs_pattern($1,device_t,device_node) @@ -5821,7 +5829,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim --- nsaserefpolicy/policy/modules/services/exim.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-2.6.4/policy/modules/services/exim.fc 2007-10-05 09:28:27.000000000 -0400 @@ -0,0 +1,16 @@ -+# $Id: policy-20070501.patch,v 1.77 2007/11/20 12:11:26 dwalsh Exp $ ++# $Id: policy-20070501.patch,v 1.78 2007/11/26 16:04:14 dwalsh Exp $ +# Draft SELinux refpolicy module for the Exim MTA +# +# Devin Carraway @@ -5839,7 +5847,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-2.6.4/policy/modules/services/exim.if --- nsaserefpolicy/policy/modules/services/exim.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-2.6.4/policy/modules/services/exim.if 2007-10-05 09:28:30.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/exim.if 2007-11-26 11:02:37.000000000 -0500 @@ -0,0 +1,157 @@ +## Exim service + @@ -5860,7 +5868,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim + ') + + corecmd_search_sbin($1) -+ domtrans_pattern($1, exim_t, exim_exec_t) ++ domtrans_pattern($1, exim_exec_t, exim_t) +') + +######################################## @@ -6002,7 +6010,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim --- nsaserefpolicy/policy/modules/services/exim.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-2.6.4/policy/modules/services/exim.te 2007-10-30 16:46:45.000000000 -0400 @@ -0,0 +1,231 @@ -+# $Id: policy-20070501.patch,v 1.77 2007/11/20 12:11:26 dwalsh Exp $ ++# $Id: policy-20070501.patch,v 1.78 2007/11/26 16:04:14 dwalsh Exp $ +# Draft SELinux refpolicy module for the Exim MTA +# +# Devin Carraway @@ -8660,8 +8668,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radv diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.te serefpolicy-2.6.4/policy/modules/services/rhgb.te --- nsaserefpolicy/policy/modules/services/rhgb.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/rhgb.te 2007-08-07 09:42:35.000000000 -0400 -@@ -105,6 +105,7 @@ ++++ serefpolicy-2.6.4/policy/modules/services/rhgb.te 2007-11-20 07:03:48.000000000 -0500 +@@ -73,6 +73,7 @@ + fs_mount_ramfs(rhgb_t) + fs_unmount_ramfs(rhgb_t) + fs_getattr_tmpfs(rhgb_t) ++fs_getattr_xattr_fs(rhgb_t) + # for ramfs file systems + fs_manage_ramfs_dirs(rhgb_t) + fs_manage_ramfs_files(rhgb_t) +@@ -105,6 +106,7 @@ userdom_dontaudit_use_unpriv_user_fds(rhgb_t) userdom_dontaudit_search_sysadm_home_dirs(rhgb_t) @@ -12102,7 +12118,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.6.4/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/init.te 2007-11-16 09:39:37.000000000 -0500 ++++ serefpolicy-2.6.4/policy/modules/system/init.te 2007-11-20 07:09:04.000000000 -0500 @@ -10,13 +10,20 @@ # Declarations # @@ -12223,15 +12239,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -786,3 +815,8 @@ +@@ -786,3 +815,4 @@ optional_policy(` zebra_read_config(initrc_t) ') + -+optional_policy(` -+ rpm_dontaudit_rw_pipes(daemon) -+') -+ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-2.6.4/policy/modules/system/ipsec.if --- nsaserefpolicy/policy/modules/system/ipsec.if 2007-05-07 14:51:01.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/system/ipsec.if 2007-08-07 09:42:35.000000000 -0400 @@ -12337,8 +12349,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.6.4/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/libraries.fc 2007-11-08 16:05:30.000000000 -0500 -@@ -81,8 +81,10 @@ ++++ serefpolicy-2.6.4/policy/modules/system/libraries.fc 2007-11-23 05:59:39.000000000 -0500 +@@ -9,6 +9,9 @@ + /emul/ia32-linux/lib/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0) + /emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) + ') ++/opt/Adobe(/.*?)/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/firefox-[^/]/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + + ifdef(`distro_gentoo',` + /emul/linux/x86/usr(/.*)?/lib(/.*)? gen_context(system_u:object_r:lib_t,s0) +@@ -81,8 +84,10 @@ /opt/cisco-vpnclient/lib/libvpnapi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/cxoffice/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -12350,7 +12372,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar ifdef(`distro_gentoo',` # despite the extensions, they are actually libs -@@ -132,13 +134,16 @@ +@@ -132,13 +137,16 @@ /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -12368,7 +12390,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/fglrx/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -157,6 +162,8 @@ +@@ -157,6 +165,8 @@ /usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -12377,7 +12399,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/X11R6/lib/libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -254,6 +261,8 @@ +@@ -254,6 +264,8 @@ /usr/lib(64)?/libdivxdecore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libdivxencore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -12386,6 +12408,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) # vmware +@@ -306,3 +318,4 @@ + /var/spool/postfix/lib(64)?/lib.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0) + /var/spool/postfix/lib(64)?/[^/]*/lib.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0) + /var/spool/postfix/lib(64)?/devfsd/.+\.so.* -- gen_context(system_u:object_r:shlib_t,s0) ++/opt/Adobe/Reader8/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-2.6.4/policy/modules/system/libraries.te --- nsaserefpolicy/policy/modules/system/libraries.te 2007-05-07 14:51:01.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/system/libraries.te 2007-08-20 17:13:12.000000000 -0400 diff --git a/selinux-policy.spec b/selinux-policy.spec index 392314e..3e3d716 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 2.6.4 -Release: 58%{?dist} +Release: 59%{?dist} License: GPL Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -363,6 +363,9 @@ semodule -b base.pp -r bootloader -r clock -r dpkg -r fstools -r hotplug -r init %endif %changelog +* Mon Nov 26 2007 Dan Walsh 2.6.4-59 +- Allow udev to relabel lnk_files on /dev + * Tue Nov 20 2007 Dan Walsh 2.6.4-58 - Allow rhgb to getattr on filesystems - Allow dictd to use /var/run direcory