From 07e28d136dace806604a49aadaa858a863d7060c Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Sep 20 2007 22:30:51 +0000 Subject: - Fix java and mono to run in xguest account --- diff --git a/policy-20070703.patch b/policy-20070703.patch index b92dca4..b13a801 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -1439,7 +1439,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te application_executable_file(gconfd_exec_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.0.8/policy/modules/apps/java.fc --- nsaserefpolicy/policy/modules/apps/java.fc 2007-05-29 14:10:48.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/apps/java.fc 2007-09-17 16:20:18.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/apps/java.fc 2007-09-20 18:08:22.000000000 -0400 @@ -11,6 +11,7 @@ # /usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0) @@ -1448,7 +1448,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc /usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0) -@@ -20,5 +21,9 @@ +@@ -20,5 +21,11 @@ /usr/bin/grmic -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/grmiregistry -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0) @@ -1458,9 +1458,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc + +/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) + ++/usr/lib(64)?/openoffice\.org/program/soffice\.bin -- gen_context(system_u:object_r:java_exec_t,s0) ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.0.8/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2007-08-02 08:17:26.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/apps/java.if 2007-09-20 08:56:23.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/apps/java.if 2007-09-20 17:57:24.000000000 -0400 @@ -32,7 +32,7 @@ ## ## @@ -1480,7 +1482,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if allow $1_javaplugin_t $2:fd use; # Unrestricted inheritance from the caller. allow $2 $1_javaplugin_t:process { noatsecure siginh rlimitinh }; -@@ -166,6 +165,57 @@ +@@ -166,6 +165,60 @@ optional_policy(` xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t) ') @@ -1528,17 +1530,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if + + userdom_unpriv_usertype($1, $1_java_t) + -+ allow $1_java_t self:process { execheap execmem }; ++ allow $1_java_t self:process { getsched sigkill execheap execmem execstack }; + + domtrans_pattern($2, java_exec_t, $1_java_t) + ++ dev_read_urand($1_java_t) ++ dev_read_rand($1_java_t) ++ + optional_policy(` + xserver_xdm_rw_shm($1_java_t) + ') ') ######################################## -@@ -219,3 +269,66 @@ +@@ -219,3 +272,66 @@ corecmd_search_bin($1) domtrans_pattern($1, java_exec_t, java_t) ') @@ -6387,7 +6392,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktal +term_search_ptys(ktalkd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-3.0.8/policy/modules/services/lpd.if --- nsaserefpolicy/policy/modules/services/lpd.if 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/lpd.if 2007-09-17 16:20:18.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/lpd.if 2007-09-20 18:02:10.000000000 -0400 @@ -394,3 +394,22 @@ domtrans_pattern($2, lpr_exec_t, $1_lpr_t) @@ -13255,7 +13260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo /tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-09-20 15:46:46.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-09-20 18:02:36.000000000 -0400 @@ -29,8 +29,9 @@ ') @@ -13849,7 +13854,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo samba_stream_connect_winbind($1_t) ') -@@ -954,21 +882,163 @@ +@@ -954,21 +882,164 @@ ## ## # @@ -13965,6 +13970,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + userdom_poly_tmp_template($1) + + optional_policy(` ++ cups_read_config($1_usertype) + cups_stream_connect($1_usertype) + cups_stream_connect_ptal($1_usertype) + ') @@ -14019,7 +14025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo domain_interactive_fd($1_t) typeattribute $1_devpts_t user_ptynode; -@@ -977,23 +1047,51 @@ +@@ -977,23 +1048,51 @@ typeattribute $1_tmp_t user_tmpfile; typeattribute $1_tty_device_t user_ttynode; @@ -14082,7 +14088,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # port access is audited even if dac would not have allowed it, so dontaudit it here corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) -@@ -1029,15 +1127,7 @@ +@@ -1029,15 +1128,7 @@ # and may change other protocols tunable_policy(`user_tcp_server',` corenet_tcp_bind_all_nodes($1_t) @@ -14099,7 +14105,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') optional_policy(` -@@ -1054,17 +1144,6 @@ +@@ -1054,17 +1145,6 @@ setroubleshoot_stream_connect($1_t) ') @@ -14117,7 +14123,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -1102,6 +1181,8 @@ +@@ -1102,6 +1182,8 @@ class passwd { passwd chfn chsh rootok crontab }; ') @@ -14126,7 +14132,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ############################## # # Declarations -@@ -1127,7 +1208,7 @@ +@@ -1127,7 +1209,7 @@ # $1_t local policy # @@ -14135,7 +14141,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $1_t self:process { setexec setfscreate }; # Set password information for other users. -@@ -1139,7 +1220,11 @@ +@@ -1139,7 +1221,11 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -14148,7 +14154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1642,9 +1727,11 @@ +@@ -1642,9 +1728,11 @@ template(`userdom_user_home_content',` gen_require(` attribute $1_file_type; @@ -14160,7 +14166,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_type($2) ') -@@ -1894,10 +1981,46 @@ +@@ -1894,10 +1982,46 @@ template(`userdom_manage_user_home_content_dirs',` gen_require(` type $1_home_dir_t, $1_home_t; @@ -14208,7 +14214,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3078,7 +3201,7 @@ +@@ -3078,7 +3202,7 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -14217,7 +14223,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_tmp_filetrans($2,$1_tmp_t,$3) -@@ -4615,6 +4738,24 @@ +@@ -4615,6 +4739,24 @@ files_list_home($1) allow $1 home_dir_type:dir search_dir_perms; ') @@ -14242,7 +14248,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ######################################## ## -@@ -4633,6 +4774,14 @@ +@@ -4633,6 +4775,14 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; @@ -14257,7 +14263,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -5323,7 +5472,7 @@ +@@ -5323,7 +5473,7 @@ attribute user_tmpfile; ') @@ -14266,7 +14272,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -5559,3 +5708,376 @@ +@@ -5559,3 +5709,376 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') diff --git a/selinux-policy.spec b/selinux-policy.spec index a610a50..a42480c 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.0.8 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -362,6 +362,9 @@ exit 0 %endif %changelog +* Thu Sep 20 2007 Dan Walsh 3.0.8-5 +- Fix java and mono to run in xguest account + * Wed Sep 19 2007 Dan Walsh 3.0.8-4 - Fix to add xguest account when inititial install - Allow mono, java, wine to run in userdomains