From 01ce3df8a673c9f38501c14c09f00aa72d39a90f Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Dec 04 2008 18:47:26 +0000 Subject: - Allow iptables to talk to terminals --- diff --git a/policy-20081111.patch b/policy-20081111.patch index da1cb9f..05eb692 100644 --- a/policy-20081111.patch +++ b/policy-20081111.patch @@ -19813,7 +19813,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.1/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/services/ssh.te 2008-11-25 09:45:43.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/services/ssh.te 2008-12-04 13:46:29.000000000 -0500 @@ -75,7 +75,7 @@ ubac_constrained(ssh_tmpfs_t) @@ -19823,7 +19823,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol typealias home_ssh_t alias { auditadm_home_ssh_t secadm_home_ssh_t }; files_type(home_ssh_t) userdom_user_home_content(home_ssh_t) -@@ -318,6 +318,9 @@ +@@ -115,6 +115,7 @@ + manage_dirs_pattern(ssh_t,home_ssh_t,home_ssh_t) + manage_sock_files_pattern(ssh_t,home_ssh_t,home_ssh_t) + userdom_user_home_dir_filetrans(ssh_t, home_ssh_t, { dir sock_file }) ++userdom_stream_connect(ssh_t) + + # Allow the ssh program to communicate with ssh-agent. + stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type) +@@ -318,6 +319,9 @@ corenet_tcp_bind_xserver_port(sshd_t) corenet_sendrecv_xserver_server_packets(sshd_t) @@ -19833,7 +19841,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd # ioctl is necessary for logout() processing for utmp entry and for w to -@@ -331,6 +334,14 @@ +@@ -331,6 +335,14 @@ ') optional_policy(` @@ -19848,7 +19856,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol daemontools_service_domain(sshd_t, sshd_exec_t) ') -@@ -349,7 +360,11 @@ +@@ -349,7 +361,11 @@ ') optional_policy(` @@ -19861,7 +19869,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_shell_domtrans(sshd_t) ') -@@ -408,6 +423,8 @@ +@@ -408,6 +424,8 @@ init_use_fds(ssh_keygen_t) init_use_script_ptys(ssh_keygen_t) @@ -27124,7 +27132,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.1/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2008-11-25 09:01:08.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/system/xen.te 2008-11-25 10:59:58.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/system/xen.te 2008-12-04 13:40:20.000000000 -0500 @@ -1,11 +1,18 @@ -policy_module(xen, 1.7.2) @@ -27312,7 +27320,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_sendrecv_generic_if(xm_t) corenet_tcp_sendrecv_all_nodes(xm_t) -@@ -339,15 +373,37 @@ +@@ -339,15 +373,38 @@ storage_raw_read_fixed_disk(xm_t) @@ -27335,6 +27343,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +optional_policy(` + virt_manage_images(xm_t) ++ virt_stream_connect(xm_t) +') + +#Should have a boolean wrapping these diff --git a/selinux-policy.spec b/selinux-policy.spec index c3a2432..bdcaaa1 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.1 -Release: 4%{?dist} +Release: 5%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -87,8 +87,8 @@ SELinux policy documentation package /usr/bin/sepolgen-ifgen -i %{buildroot}%{_usr}/share/selinux/devel/include -o /dev/null %define setupCmds() \ -make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 bare \ -make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 conf \ +make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 bare \ +make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 conf \ cp -f $RPM_SOURCE_DIR/modules-%1.conf ./policy/modules.conf \ cp -f $RPM_SOURCE_DIR/booleans-%1.conf ./policy/booleans.conf \ @@ -96,10 +96,10 @@ cp -f $RPM_SOURCE_DIR/booleans-%1.conf ./policy/booleans.conf \ awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp.bz2 ", $1 }' %{_sourcedir}/modules-%{1}.conf ) %define installCmds() \ -make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 base.pp \ -make validate UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 modules \ -make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 install \ -make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 install-appconfig \ +make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 base.pp \ +make validate UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 modules \ +make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 install \ +make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 install-appconfig \ #%{__cp} *.pp %{buildroot}/%{_usr}/share/selinux/%1/ \ %{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/policy \ %{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active \ @@ -234,7 +234,7 @@ make clean %installCmds olpc mcs n y allow %endif -make UNK_PERMS=allow NAME=targeted TYPE=targeted-mcs DISTRO=%{distro} DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs +make UNK_PERMS=allow NAME=targeted TYPE=targeted-mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs mkdir %{buildroot}%{_usr}/share/selinux/devel/ mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include install -m 755 $RPM_SOURCE_DIR/policygentool %{buildroot}%{_usr}/share/selinux/devel/ @@ -446,6 +446,9 @@ exit 0 %endif %changelog +* Thu Dec 4 2008 Dan Walsh 3.6.1-5 +- Allow iptables to talk to terminals + * Wed Dec 3 2008 Dan Walsh 3.6.1-4 - Cleanup policy