From 5b96313949161e8fa6d2ed3513e382812b9c5f1a Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Sep 29 2009 19:47:31 +0000 Subject: - Update rhcs policy --- diff --git a/modules-minimum.conf b/modules-minimum.conf index e789013..5abc55c 100644 --- a/modules-minimum.conf +++ b/modules-minimum.conf @@ -1200,6 +1200,20 @@ rgmanager = module rhcs = module # Layer: services +# Module: aisexec +# +# RHCS - Red Hat Cluster Suite +# +aisexec = module + +# Layer: services +# Module: rgmanager +# +# rgmanager +# +rgmanager = module + +# Layer: services # Module: rhgb # # X windows login display manager diff --git a/modules-targeted.conf b/modules-targeted.conf index e789013..5abc55c 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -1200,6 +1200,20 @@ rgmanager = module rhcs = module # Layer: services +# Module: aisexec +# +# RHCS - Red Hat Cluster Suite +# +aisexec = module + +# Layer: services +# Module: rgmanager +# +# rgmanager +# +rgmanager = module + +# Layer: services # Module: rhgb # # X windows login display manager diff --git a/policy-F12.patch b/policy-F12.patch index ce6ce93..51bcbc2 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -2593,8 +2593,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.32/policy/modules/apps/nsplugin.if --- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.if 2009-09-23 10:34:03.000000000 -0400 -@@ -0,0 +1,320 @@ ++++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.if 2009-09-29 15:46:41.000000000 -0400 +@@ -0,0 +1,322 @@ + +## policy for nsplugin + @@ -2686,6 +2686,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + role $1 types nsplugin_config_t; + + allow nsplugin_t $2:process signull; ++ allow nsplugin_t $2:dbus send_msg; ++ allow $2 nsplugin_t:dbus send_msg; + + list_dirs_pattern($2, nsplugin_rw_t, nsplugin_rw_t) + read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t) @@ -3332,6 +3334,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +type openoffice_t; +type openoffice_exec_t; +application_domain(openoffice_t, openoffice_exec_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.6.32/policy/modules/apps/pulseaudio.if +--- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2009-08-31 13:30:04.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.if 2009-09-29 15:46:25.000000000 -0400 +@@ -40,7 +40,7 @@ + userdom_manage_tmpfs_role($1, pulseaudio_t) + + allow $2 pulseaudio_t:dbus send_msg; +- allow pulseaudio_t $2:dbus send_msg; ++ allow pulseaudio_t $2:dbus { acquire_svc send_msg }; + ') + + ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te --- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2009-08-31 13:30:04.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te 2009-09-16 10:03:08.000000000 -0400 @@ -20311,7 +20325,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-08-28 14:58:20.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2009-09-21 08:22:39.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2009-09-29 15:34:33.000000000 -0400 @@ -34,6 +34,13 @@ ## @@ -20727,7 +20741,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol hostname_exec(xdm_t) ') -@@ -542,6 +652,30 @@ +@@ -542,6 +652,34 @@ ') optional_policy(` @@ -20739,6 +20753,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +optional_policy(` ++ pcscd_stream_connect(xdm_t) ++') ++ ++optional_policy(` + pulseaudio_exec(xdm_t) + pulseaudio_dbus_chat(xdm_t) +') @@ -20758,7 +20776,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(xdm_t) ') -@@ -550,8 +684,9 @@ +@@ -550,8 +688,9 @@ ') optional_policy(` @@ -20770,7 +20788,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -560,7 +695,6 @@ +@@ -560,7 +699,6 @@ ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; ') @@ -20778,7 +20796,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` userhelper_dontaudit_search_config(xdm_t) -@@ -571,6 +705,10 @@ +@@ -571,6 +709,10 @@ ') optional_policy(` @@ -20789,7 +20807,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xfs_stream_connect(xdm_t) ') -@@ -587,10 +725,9 @@ +@@ -587,10 +729,9 @@ # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -20801,7 +20819,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; allow xserver_t self:sock_file read_sock_file_perms; -@@ -602,9 +739,12 @@ +@@ -602,9 +743,12 @@ allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -20814,7 +20832,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xserver_t { input_xevent_t input_xevent_type }:x_event send; -@@ -616,13 +756,14 @@ +@@ -616,13 +760,14 @@ type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t; allow xserver_t { rootwindow_t x_domain }:x_drawable send; @@ -20830,7 +20848,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -635,9 +776,19 @@ +@@ -635,9 +780,19 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -20850,7 +20868,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -671,7 +822,6 @@ +@@ -671,7 +826,6 @@ dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -20858,7 +20876,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -681,9 +831,12 @@ +@@ -681,9 +835,12 @@ dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -20872,7 +20890,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) -@@ -698,8 +851,12 @@ +@@ -698,8 +855,12 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -20885,7 +20903,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -721,6 +878,7 @@ +@@ -721,6 +882,7 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -20893,7 +20911,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol modutils_domtrans_insmod(xserver_t) -@@ -743,7 +901,7 @@ +@@ -743,7 +905,7 @@ ') ifdef(`enable_mls',` @@ -20902,7 +20920,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh; ') -@@ -775,12 +933,20 @@ +@@ -775,12 +937,20 @@ ') optional_policy(` @@ -20924,7 +20942,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_domtrans(xserver_t) ') -@@ -807,7 +973,7 @@ +@@ -807,7 +977,7 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -20933,7 +20951,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -828,9 +994,14 @@ +@@ -828,9 +998,14 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -20948,7 +20966,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -845,11 +1016,14 @@ +@@ -845,11 +1020,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -20964,7 +20982,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -882,6 +1056,8 @@ +@@ -882,6 +1060,8 @@ # X Server # can read server-owned resources allow x_domain xserver_t:x_resource read; @@ -20973,7 +20991,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # can mess with own clients allow x_domain self:x_client { manage destroy }; -@@ -906,6 +1082,8 @@ +@@ -906,6 +1086,8 @@ # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -20982,7 +21000,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # X Colormaps # can use the default colormap allow x_domain rootwindow_t:x_colormap { read use add_color }; -@@ -973,17 +1151,49 @@ +@@ -973,17 +1155,49 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;