From dcd0c96f34ff883df8be2bf18244922552c5cc3c Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Dec 11 2008 15:21:57 +0000 Subject: - Allow unconfined_r unconfined_java_t --- diff --git a/modules-minimum.conf b/modules-minimum.conf index f017e02..51b4aa3 100644 --- a/modules-minimum.conf +++ b/modules-minimum.conf @@ -47,6 +47,13 @@ awstats = module amanda = module # Layer: services +# Module: afs +# +# Andrew Filesystem server +# +afs = module + +# Layer: services # Module: amavis # # Anti-virus diff --git a/modules-targeted.conf b/modules-targeted.conf index f017e02..51b4aa3 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -47,6 +47,13 @@ awstats = module amanda = module # Layer: services +# Module: afs +# +# Andrew Filesystem server +# +afs = module + +# Layer: services # Module: amavis # # Anti-virus diff --git a/policy-20081111.patch b/policy-20081111.patch index d522cba..c16f230 100644 --- a/policy-20081111.patch +++ b/policy-20081111.patch @@ -1819,8 +1819,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.1/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2008-11-11 16:13:42.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/apps/java.if 2008-11-25 09:45:43.000000000 -0500 -@@ -68,3 +68,96 @@ ++++ serefpolicy-3.6.1/policy/modules/apps/java.if 2008-12-11 09:33:36.000000000 -0500 +@@ -68,3 +68,121 @@ domtrans_pattern($1, java_exec_t, unconfined_java_t) corecmd_search_bin($1) ') @@ -1852,6 +1852,31 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +######################################## +## ++## Execute java in the unconfined java domain, and ++## allow the specified role the unconfined java domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++## ++## ++## The role to be allowed the java domain. ++## ++## ++# ++interface(`java_run_unconfined',` ++ gen_require(` ++ type unconfined_java_t; ++ ') ++ ++ java_domtrans_unconfined($1) ++ role $2 types unconfined_java_t; ++') ++ ++######################################## ++## +## Execute the java program in the java domain. +## +## @@ -4786,7 +4811,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## all protocols (TCP, UDP, etc) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.1/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2008-11-11 16:13:41.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/kernel/domain.te 2008-12-03 15:24:41.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/kernel/domain.te 2008-12-11 09:54:03.000000000 -0500 @@ -5,6 +5,13 @@ # # Declarations @@ -4810,7 +4835,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Every domain gets the key ring, so we should default # to no one allowed to look at it; afs kernel support creates # a keyring -@@ -118,6 +127,7 @@ +@@ -106,6 +115,10 @@ + ') + + optional_policy(` ++ afs_rw_cache(domain) ++') ++ ++optional_policy(` + libs_use_ld_so(domain) + libs_use_shared_libs(domain) + ') +@@ -118,6 +131,7 @@ optional_policy(` xserver_dontaudit_use_xdm_fds(domain) xserver_dontaudit_rw_xdm_pipes(domain) @@ -4818,7 +4854,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -136,6 +146,9 @@ +@@ -136,6 +150,9 @@ allow unconfined_domain_type domain:fd use; allow unconfined_domain_type domain:fifo_file rw_file_perms; @@ -4828,7 +4864,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Act upon any other process. allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; -@@ -145,7 +158,7 @@ +@@ -145,7 +162,7 @@ # For /proc/pid allow unconfined_domain_type domain:dir list_dir_perms; @@ -4837,7 +4873,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys -@@ -153,3 +166,39 @@ +@@ -153,3 +170,39 @@ # receive from all domains over labeled networking domain_all_recvfrom_all_domains(unconfined_domain_type) @@ -4879,8 +4915,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +dontaudit can_change_object_identity can_change_object_identity:key link; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.6.1/policy/modules/kernel/files.fc --- nsaserefpolicy/policy/modules/kernel/files.fc 2008-11-11 16:13:41.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/kernel/files.fc 2008-11-25 09:45:43.000000000 -0500 -@@ -32,6 +32,7 @@ ++++ serefpolicy-3.6.1/policy/modules/kernel/files.fc 2008-12-11 09:47:36.000000000 -0500 +@@ -8,6 +8,8 @@ + /initrd\.img.* -l gen_context(system_u:object_r:boot_t,s0) + /vmlinuz.* -l gen_context(system_u:object_r:boot_t,s0) + ++/afs -d gen_context(system_u:object_r:mnt_t,s0) ++ + ifdef(`distro_redhat',` + /\.autofsck -- gen_context(system_u:object_r:etc_runtime_t,s0) + /\.autorelabel -- gen_context(system_u:object_r:etc_runtime_t,s0) +@@ -32,6 +34,7 @@ /boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /boot/lost\+found/.* <> /boot/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0) @@ -4888,7 +4933,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /emul -@@ -49,6 +50,7 @@ +@@ -49,6 +52,7 @@ /etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/HOSTNAME -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -7475,6 +7520,211 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') +') +gen_user(xguest_u, user, xguest_r, s0, s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.fc serefpolicy-3.6.1/policy/modules/services/afs.fc +--- nsaserefpolicy/policy/modules/services/afs.fc 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.1/policy/modules/services/afs.fc 2008-12-11 09:47:41.000000000 -0500 +@@ -1,3 +1,6 @@ ++/etc/rc\.d/init\.d/openafs-client -- gen_context(system_u:object_r:afs_script_exec_t,s0) ++/etc/rc\.d/init\.d/afs -- gen_context(system_u:object_r:afs_script_exec_t,s0) ++ + /usr/afs/bin/bosserver -- gen_context(system_u:object_r:afs_bosserver_exec_t,s0) + /usr/afs/bin/fileserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0) + /usr/afs/bin/kaserver -- gen_context(system_u:object_r:afs_kaserver_exec_t,s0) +@@ -17,6 +20,13 @@ + + /usr/afs/logs(/.*)? gen_context(system_u:object_r:afs_logfile_t,s0) + ++/usr/sbin/afsd -- gen_context(system_u:object_r:afs_exec_t,s0) ++ + /vicepa gen_context(system_u:object_r:afs_files_t,s0) + /vicepb gen_context(system_u:object_r:afs_files_t,s0) + /vicepc gen_context(system_u:object_r:afs_files_t,s0) ++ ++ ++/usr/vice/etc/afsd -- gen_context(system_u:object_r:afs_exec_t,s0) ++ ++/var/cache/afs(/.*)? gen_context(system_u:object_r:afs_cache_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.if serefpolicy-3.6.1/policy/modules/services/afs.if +--- nsaserefpolicy/policy/modules/services/afs.if 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.1/policy/modules/services/afs.if 2008-12-11 09:59:32.000000000 -0500 +@@ -1 +1,110 @@ + ## Andrew Filesystem server ++ ++######################################## ++## ++## Execute a domain transition to run afs. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`afs_domtrans',` ++ gen_require(` ++ type afs_t; ++ type afs_exec_t; ++ ') ++ ++ domtrans_pattern($1,afs_exec_t,afs_t) ++') ++ ++ ++######################################## ++## ++## Read and write afs UDP sockets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`afs_rw_udp_sockets',` ++ gen_require(` ++ type afs_t; ++ ') ++ ++ allow $1 afs_t:udp_socket { read write }; ++') ++ ++######################################## ++## ++## read/write afs cache files ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`afs_rw_cache',` ++ gen_require(` ++ type afs_cache_t; ++ ') ++ ++ allow $1 afs_cache_t:file {read write}; ++') ++ ++ ++######################################## ++## ++## Execute afs server in the afs domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`afs_script_domtrans',` ++ gen_require(` ++ type afs_script_exec_t; ++ ') ++ ++ init_script_domtrans_spec($1,afs_script_exec_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an afs environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the afs domain. ++## ++## ++## ++# ++interface(`afs_admin',` ++ gen_require(` ++ type afs_t; ++ type afs_script_exec_t; ++ ') ++ ++ allow $1 afs_t:process { ptrace signal_perms getattr }; ++ read_files_pattern($1, afs_t, afs_t) ++ ++ # Allow afs_t to restart the apache service ++ afs_script_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 afs_script_exec_t system_r; ++ allow $2 system_r; ++ ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.6.1/policy/modules/services/afs.te +--- nsaserefpolicy/policy/modules/services/afs.te 2008-11-11 16:13:46.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/services/afs.te 2008-12-11 09:58:19.000000000 -0500 +@@ -6,6 +6,16 @@ + # Declarations + # + ++type afs_t; ++type afs_exec_t; ++init_daemon_domain(afs_t, afs_exec_t) ++ ++type afs_script_exec_t; ++init_script_file(afs_script_exec_t) ++ ++type afs_cache_t; ++files_type(afs_cache_t) ++ + type afs_bosserver_t; + type afs_bosserver_exec_t; + init_daemon_domain(afs_bosserver_t, afs_bosserver_exec_t) +@@ -302,3 +312,46 @@ + sysnet_read_config(afs_vlserver_t) + + userdom_dontaudit_use_user_terminals(afs_vlserver_t) ++ ++######################################## ++# ++# afs local policy ++# ++ ++allow afs_t self:capability { sys_nice sys_tty_config }; ++allow afs_t self:process setsched; ++allow afs_t self:udp_socket create_socket_perms; ++allow afs_t self:fifo_file rw_file_perms; ++allow afs_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_files_pattern(afs_t,afs_cache_t,afs_cache_t) ++manage_dirs_pattern(afs_t,afs_cache_t,afs_cache_t) ++files_var_filetrans(afs_t,afs_cache_t,{file dir}) ++ ++files_mounton_mnt(afs_t) ++files_read_etc_files(afs_t) ++files_rw_etc_runtime_files(afs_t) ++ ++fs_getattr_xattr_fs(afs_t) ++fs_mount_nfs(afs_t) ++ ++kernel_rw_afs_state(afs_t) ++ ++# Init script handling ++domain_use_interactive_fds(afs_t) ++ ++corenet_all_recvfrom_unlabeled(afs_t) ++corenet_all_recvfrom_netlabel(afs_t) ++corenet_tcp_sendrecv_generic_if(afs_t) ++corenet_udp_sendrecv_generic_if(afs_t) ++corenet_tcp_sendrecv_all_nodes(afs_t) ++corenet_udp_sendrecv_all_nodes(afs_t) ++corenet_tcp_sendrecv_all_ports(afs_t) ++corenet_udp_sendrecv_all_ports(afs_t) ++corenet_udp_bind_all_nodes(afs_t) ++ ++miscfiles_read_localization(afs_t) ++ ++logging_send_syslog_msg(afs_t) ++ ++permissive afs_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.1/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2008-11-11 16:13:46.000000000 -0500 +++ serefpolicy-3.6.1/policy/modules/services/apache.fc 2008-11-25 09:45:43.000000000 -0500 @@ -9639,7 +9889,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.6.1/policy/modules/services/cron.fc --- nsaserefpolicy/policy/modules/services/cron.fc 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/services/cron.fc 2008-12-09 14:38:32.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/services/cron.fc 2008-12-10 11:57:27.000000000 -0500 @@ -17,9 +17,9 @@ /var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0) /var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) @@ -9669,7 +9919,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.1/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/services/cron.if 2008-12-09 14:23:55.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/services/cron.if 2008-12-10 10:08:50.000000000 -0500 @@ -12,6 +12,10 @@ ## # @@ -9694,21 +9944,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1_t $1_tmp_t:file manage_file_perms; files_tmp_filetrans($1_t,$1_tmp_t,file) -@@ -58,6 +66,13 @@ +@@ -58,6 +66,12 @@ files_dontaudit_search_pids($1_t) logging_send_syslog_msg($1_t) + logging_send_audit_msgs($1_t) + logging_set_loginuid($1_t) -+ + auth_domtrans_chk_passwd($1_t) -+ init_dontaudit_write_utmp($1_t) + ++ init_dontaudit_write_utmp($1_t) + init_read_utmp($1_t) miscfiles_read_localization($1_t) -@@ -343,6 +358,24 @@ +@@ -343,6 +357,24 @@ ######################################## ## @@ -9733,7 +9982,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read and write a cron daemon unnamed pipe. ## ## -@@ -361,7 +394,7 @@ +@@ -361,7 +393,7 @@ ######################################## ## @@ -9742,7 +9991,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -369,7 +402,7 @@ +@@ -369,7 +401,7 @@ ## ## # @@ -9751,7 +10000,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol gen_require(` type crond_t; ') -@@ -481,11 +514,14 @@ +@@ -481,11 +513,14 @@ # interface(`cron_read_system_job_tmp_files',` gen_require(` @@ -9767,7 +10016,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -506,3 +542,83 @@ +@@ -506,3 +541,83 @@ dontaudit $1 system_cronjob_tmp_t:file append; ') @@ -9853,7 +10102,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.1/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/services/cron.te 2008-12-09 14:21:58.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/services/cron.te 2008-12-10 10:05:12.000000000 -0500 @@ -38,6 +38,10 @@ type cron_var_lib_t; files_type(cron_var_lib_t) @@ -10081,7 +10330,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -469,17 +529,11 @@ +@@ -469,24 +529,17 @@ ') optional_policy(` @@ -10102,6 +10351,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # + # User cronjobs local policy + # + +-allow cronjob_t self:capability dac_override; + allow cronjob_t self:process { signal_perms setsched }; + allow cronjob_t self:fifo_file rw_fifo_file_perms; + allow cronjob_t self:unix_stream_socket create_stream_socket_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.1/policy/modules/services/cups.fc --- nsaserefpolicy/policy/modules/services/cups.fc 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.6.1/policy/modules/services/cups.fc 2008-11-25 09:45:43.000000000 -0500 @@ -13420,7 +13676,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.6.1/policy/modules/services/networkmanager.if --- nsaserefpolicy/policy/modules/services/networkmanager.if 2008-09-11 11:28:34.000000000 -0400 -+++ serefpolicy-3.6.1/policy/modules/services/networkmanager.if 2008-11-25 09:45:43.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/services/networkmanager.if 2008-12-11 09:54:36.000000000 -0500 @@ -118,6 +118,24 @@ ######################################## @@ -21837,7 +22093,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.1/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/system/authlogin.if 2008-12-08 15:05:18.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/system/authlogin.if 2008-12-11 09:57:10.000000000 -0500 @@ -43,6 +43,7 @@ interface(`auth_login_pgm_domain',` gen_require(` @@ -21882,7 +22138,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol init_rw_utmp($1) -@@ -100,8 +117,40 @@ +@@ -100,8 +117,44 @@ seutil_read_config($1) seutil_read_default_contexts($1) @@ -21892,6 +22148,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + userdom_search_admin_dir($1) + + optional_policy(` ++ afs_rw_udp_sockets($1) ++ ') ++ ++ optional_policy(` + dbus_system_bus_client($1) + optional_policy(` + oddjob_dbus_chat($1) @@ -21923,7 +22183,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -197,8 +246,11 @@ +@@ -197,8 +250,11 @@ interface(`auth_domtrans_chk_passwd',` gen_require(` type chkpwd_t, chkpwd_exec_t, shadow_t; @@ -21935,7 +22195,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_search_bin($1) domtrans_pattern($1, chkpwd_exec_t, chkpwd_t) -@@ -207,19 +259,16 @@ +@@ -207,19 +263,16 @@ dev_read_rand($1) dev_read_urand($1) @@ -21960,7 +22220,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -230,6 +279,29 @@ +@@ -230,6 +283,29 @@ optional_policy(` samba_stream_connect_winbind($1) ') @@ -21990,7 +22250,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -254,6 +326,7 @@ +@@ -254,6 +330,7 @@ auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -21998,7 +22258,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1031,6 +1104,32 @@ +@@ -1031,6 +1108,32 @@ ######################################## ## @@ -22031,7 +22291,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Manage all files on the filesystem, except ## the shadow passwords and listed exceptions. ## -@@ -1297,6 +1396,10 @@ +@@ -1297,6 +1400,10 @@ ') optional_policy(` @@ -22042,7 +22302,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol nis_use_ypbind($1) ') -@@ -1307,6 +1410,7 @@ +@@ -1307,6 +1414,7 @@ optional_policy(` samba_stream_connect_winbind($1) samba_read_var_files($1) @@ -22050,7 +22310,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1341,3 +1445,80 @@ +@@ -1341,3 +1449,80 @@ typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -25451,7 +25711,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.1/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/system/unconfined.te 2008-12-03 14:30:00.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/system/unconfined.te 2008-12-11 09:33:53.000000000 -0500 @@ -6,35 +6,76 @@ # Declarations # @@ -25603,7 +25863,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -119,7 +185,7 @@ +@@ -119,31 +185,33 @@ ') optional_policy(` @@ -25612,7 +25872,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -127,23 +193,25 @@ +- java_domtrans_unconfined(unconfined_t) ++ java_run_unconfined(unconfined_t, unconfined_r) ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index d2ba853..76d3058 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.1 -Release: 9%{?dist} +Release: 10%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -446,6 +446,9 @@ exit 0 %endif %changelog +* Thu Dec 11 2008 Dan Walsh 3.6.1-10 +- Allow unconfined_r unconfined_java_t + * Tue Dec 9 2008 Dan Walsh 3.6.1-9 - Add cron_role back to user domains