From ebab4d1c66f0cdabef33f301ef9eddd0c069e950 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Feb 14 2008 20:51:06 +0000 Subject: - Allow udev to send audit messages --- diff --git a/policy-20071130.patch b/policy-20071130.patch index a94013a..fad0a37 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -21255,7 +21255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.2.7/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/services/xserver.if 2008-02-13 16:57:15.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/services/xserver.if 2008-02-14 15:45:10.000000000 -0500 @@ -15,6 +15,7 @@ template(`xserver_common_domain_template',` gen_require(` @@ -24776,8 +24776,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.te serefpolicy-3.2.7/policy/modules/system/qemu.te --- nsaserefpolicy/policy/modules/system/qemu.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/system/qemu.te 2008-02-13 16:57:16.000000000 -0500 -@@ -0,0 +1,66 @@ ++++ serefpolicy-3.2.7/policy/modules/system/qemu.te 2008-02-14 15:46:36.000000000 -0500 +@@ -0,0 +1,83 @@ +policy_module(qemu,1.0.0) + +######################################## @@ -24807,6 +24807,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.t +## internal communication is often done using fifo and unix sockets. +allow qemu_t self:fifo_file rw_file_perms; +allow qemu_t self:unix_stream_socket create_stream_socket_perms; ++allow qemu_t self:shm create_shm_perms; + +corenet_all_recvfrom_unlabeled(qemu_t) +corenet_all_recvfrom_netlabel(qemu_t) @@ -24817,8 +24818,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.t +corenet_tcp_bind_vnc_port(qemu_t) +corenet_rw_tun_tap_dev(qemu_t) + -+virt_manage_image(qemu_t) -+virt_read_config(qemu_t) ++kernel_read_system_state(qemu_t) + +dev_rw_kvm(qemu_t) + @@ -24828,6 +24828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.t +files_search_all(qemu_t) + +fs_rw_anon_inodefs_files(qemu_t) ++fs_rw_tmpfs_files(qemu_t) + +storage_raw_write_removable_device(qemu_t) +storage_raw_read_removable_device(qemu_t) @@ -24841,8 +24842,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.t + +miscfiles_read_localization(qemu_t) + -+allow qemu_unconfined_t self:process { execstack execmem }; ++sysnet_read_config(qemu_t) ++ ++virt_manage_image(qemu_t) ++virt_read_config(qemu_t) ++ ++optional_policy(` ++ xserver_stream_connect_xdm_xserver(qemu_t) ++ xserver_read_xdm_tmp_files(qemu_t) ++ xserver_xdm_rw_shm(qemu_t) ++') ++ ++######################################## ++# ++# qemu_unconfined local policy ++# ++ +unconfined_domain_noaudit(qemu_unconfined_t) ++allow qemu_unconfined_t self:process { execstack execmem }; + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.2.7/policy/modules/system/raid.te --- nsaserefpolicy/policy/modules/system/raid.te 2007-12-19 05:32:17.000000000 -0500