From 90e4193775ec0f77b683800b27046dad6d02bf6a Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Apr 08 2009 13:18:20 +0000 Subject: - Make sure unconfined_java_t and unconfined_mono_t create user_tmpfs_t. --- diff --git a/policy-20090105.patch b/policy-20090105.patch index a67d725..1dd0d5d 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -1980,7 +1980,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.12/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2008-11-11 16:13:42.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/apps/java.if 2009-04-07 16:01:44.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/apps/java.if 2009-04-08 08:35:54.000000000 -0400 @@ -30,6 +30,7 @@ allow java_t $2:unix_stream_socket connectto; @@ -1989,7 +1989,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -68,3 +69,128 @@ +@@ -68,3 +69,129 @@ domtrans_pattern($1, java_exec_t, unconfined_java_t) corecmd_search_bin($1) ') @@ -2104,6 +2104,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + domain_interactive_fd($1_java_t) + + userdom_unpriv_usertype($1, $1_java_t) ++ userdom_manage_tmpfs_role($2, $1_java_t) + + allow $1_java_t self:process { ptrace signal getsched execmem execstack }; + allow $3 $1_java_t:process { getattr ptrace noatsecure signal_perms }; @@ -2266,8 +2267,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +seutil_domtrans_setfiles_mac(livecd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.6.12/policy/modules/apps/mono.if --- nsaserefpolicy/policy/modules/apps/mono.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/apps/mono.if 2009-04-07 16:01:44.000000000 -0400 -@@ -21,6 +21,103 @@ ++++ serefpolicy-3.6.12/policy/modules/apps/mono.if 2009-04-08 08:35:44.000000000 -0400 +@@ -21,6 +21,104 @@ ######################################## ## @@ -2352,6 +2353,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + domain_interactive_fd($1_mono_t) + + userdom_unpriv_usertype($1, $1_mono_t) ++ userdom_manage_tmpfs_role($2, $1_mono_t) + + allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack }; + allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms }; @@ -2371,7 +2373,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Execute the mono program in the caller domain. ## ## -@@ -31,7 +128,7 @@ +@@ -31,7 +129,7 @@ # interface(`mono_exec',` gen_require(` @@ -22399,7 +22401,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.12/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/xserver.te 2009-04-07 16:01:44.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/xserver.te 2009-04-08 08:34:37.000000000 -0400 @@ -34,6 +34,13 @@ ## diff --git a/selinux-policy.spec b/selinux-policy.spec index b03d884..e66addf 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.12 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -444,6 +444,9 @@ exit 0 %endif %changelog +* Wed Apr 7 2009 Dan Walsh 3.6.12-2 +- Make sure unconfined_java_t and unconfined_mono_t create user_tmpfs_t. + * Tue Apr 7 2009 Dan Walsh 3.6.12-1 - Upgrade to latest upstream - Allow devicekit_disk sys_rawio