diff --git a/policy-20090105.patch b/policy-20090105.patch index 553f80c..1d2eb7c 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -1401,7 +1401,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.if serefpolicy-3.6.3/policy/modules/admin/vbetool.if --- nsaserefpolicy/policy/modules/admin/vbetool.if 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.6.3/policy/modules/admin/vbetool.if 2009-01-19 13:10:02.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/admin/vbetool.if 2009-01-23 14:46:57.000000000 -0500 @@ -18,3 +18,28 @@ corecmd_search_bin($1) domtrans_pattern($1, vbetool_exec_t, vbetool_t) @@ -4058,7 +4058,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +corecmd_executable_file(wm_exec_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.3/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/kernel/corecommands.fc 2009-01-20 14:46:23.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/kernel/corecommands.fc 2009-01-23 15:08:37.000000000 -0500 @@ -58,6 +58,8 @@ /etc/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0) @@ -4103,7 +4103,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0) -@@ -293,3 +299,8 @@ +@@ -293,3 +299,10 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -4112,6 +4112,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) + +/usr/lib/oracle/xe/apps(/.*)? gen_context(system_u:object_r:bin_t,s0) ++ ++/usr/lib(64)?/pm-utils/sleep.d(/.*)? gen_context(system_u:object_r:bin_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.3/policy/modules/kernel/corecommands.if --- nsaserefpolicy/policy/modules/kernel/corecommands.if 2009-01-05 15:39:38.000000000 -0500 +++ serefpolicy-3.6.3/policy/modules/kernel/corecommands.if 2009-01-19 13:10:02.000000000 -0500 @@ -6183,7 +6185,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.6.3/policy/modules/kernel/storage.fc --- nsaserefpolicy/policy/modules/kernel/storage.fc 2008-10-08 19:00:23.000000000 -0400 -+++ serefpolicy-3.6.3/policy/modules/kernel/storage.fc 2009-01-19 13:53:59.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/kernel/storage.fc 2009-01-23 09:24:07.000000000 -0500 @@ -36,7 +36,7 @@ /dev/pg[0-3] -c gen_context(system_u:object_r:removable_device_t,s0) /dev/ps3d.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) @@ -6193,6 +6195,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/rd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) ifdef(`distro_redhat', ` /dev/root -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +@@ -57,7 +57,7 @@ + + /dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) + +-/dev/fuse -c gen_context(system_u:object_r:fuse_device_t,mls_systemhigh) ++/dev/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) + /dev/floppy/[^/]* -b gen_context(system_u:object_r:removable_device_t,s0) + + /dev/i2o/hd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) @@ -67,6 +67,8 @@ /dev/md/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/mapper/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) @@ -8502,7 +8513,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.3/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/apache.te 2009-01-21 11:01:33.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/apache.te 2009-01-23 15:14:19.000000000 -0500 @@ -19,6 +19,8 @@ # Declarations # @@ -10134,8 +10145,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.6.3/policy/modules/services/cron.fc --- nsaserefpolicy/policy/modules/services/cron.fc 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/cron.fc 2009-01-19 13:10:02.000000000 -0500 -@@ -17,9 +17,9 @@ ++++ serefpolicy-3.6.3/policy/modules/services/cron.fc 2009-01-23 15:16:30.000000000 -0500 +@@ -1,3 +1,4 @@ ++/etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:crond_initrc_exec_t,s0) + + /etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) + /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) +@@ -17,9 +18,9 @@ /var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0) /var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) @@ -10148,7 +10164,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0) #/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) -@@ -41,7 +41,11 @@ +@@ -41,7 +42,11 @@ #/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) /var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0) @@ -10163,7 +10179,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.3/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/cron.if 2009-01-21 15:20:50.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/cron.if 2009-01-23 15:15:40.000000000 -0500 @@ -12,6 +12,10 @@ ## # @@ -10259,7 +10275,50 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol gen_require(` type crond_t; ') -@@ -481,11 +515,14 @@ +@@ -416,6 +450,42 @@ + + ######################################## + ## ++## Execute cron in the cron system domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cron_domtrans',` ++ gen_require(` ++ type system_cronjob_t, crond_exec_t; ++ ') ++ ++ domtrans_pattern($1,crond_exec_t,system_cronjob_t) ++') ++ ++######################################## ++## ++## Execute crond_exec_t ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cron_exec',` ++ gen_require(` ++ type crond_exec_t; ++ ') ++ ++ can_exec($1,crond_exec_t) ++') ++ ++######################################## ++## + ## Inherit and use a file descriptor + ## from system cron jobs. + ## +@@ -481,11 +551,14 @@ # interface(`cron_read_system_job_tmp_files',` gen_require(` @@ -10275,7 +10334,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -506,3 +543,82 @@ +@@ -506,3 +579,101 @@ dontaudit $1 system_cronjob_tmp_t:file append; ') @@ -10358,9 +10417,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + manage_files_pattern($1, crond_var_run_t, crond_var_run_t) +') ++ ++######################################## ++## ++## Execute crond server in the nscd domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`cron_initrc_domtrans',` ++ gen_require(` ++ type crond_initrc_exec_t; ++') ++ ++ init_labeled_script_domtrans($1, crond_initrc_exec_t) ++') ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.3/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/cron.te 2009-01-21 15:19:17.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/cron.te 2009-01-23 15:14:37.000000000 -0500 @@ -38,6 +38,10 @@ type cron_var_lib_t; files_type(cron_var_lib_t) @@ -10372,8 +10450,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # var/log files type cron_log_t; logging_log_file(cron_log_t) -@@ -58,6 +62,8 @@ +@@ -56,8 +60,13 @@ + domain_interactive_fd(crond_t) + domain_cron_exemption_source(crond_t) ++type crond_initrc_exec_t; ++init_script_file(crond_initrc_exec_t) ++ type crond_tmp_t; files_tmp_file(crond_tmp_t) +files_poly_parent(crond_tmp_t) @@ -10381,7 +10464,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type crond_var_run_t; files_pid_file(crond_var_run_t) -@@ -70,10 +76,11 @@ +@@ -70,10 +79,11 @@ typealias admin_crontab_tmp_t alias sysadm_crontab_tmp_t; cron_common_crontab_template(crontab) @@ -10394,7 +10477,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type system_cron_spool_t, cron_spool_type; files_type(system_cron_spool_t) -@@ -103,6 +110,13 @@ +@@ -103,6 +113,13 @@ files_type(user_cron_spool_t) ubac_constrained(user_cron_spool_t) @@ -10408,7 +10491,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Admin crontab local policy -@@ -130,7 +144,7 @@ +@@ -130,7 +147,7 @@ # Cron daemon local policy # @@ -10417,7 +10500,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit crond_t self:capability { sys_resource sys_tty_config }; allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow crond_t self:process { setexec setfscreate }; -@@ -149,19 +163,19 @@ +@@ -149,19 +166,19 @@ allow crond_t crond_var_run_t:file manage_file_perms; files_pid_filetrans(crond_t,crond_var_run_t,file) @@ -10441,7 +10524,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_sysfs(crond_t) selinux_get_fs_mount(crond_t) selinux_validate_context(crond_t) -@@ -183,6 +197,8 @@ +@@ -183,6 +200,8 @@ corecmd_read_bin_symlinks(crond_t) domain_use_interactive_fds(crond_t) @@ -10450,7 +10533,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(crond_t) files_read_generic_spool(crond_t) -@@ -192,10 +208,13 @@ +@@ -192,10 +211,13 @@ files_search_default(crond_t) init_rw_utmp(crond_t) @@ -10464,7 +10547,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_read_config(crond_t) seutil_read_default_contexts(crond_t) -@@ -208,6 +227,7 @@ +@@ -208,6 +230,7 @@ userdom_list_user_home_dirs(crond_t) mta_send_mail(crond_t) @@ -10472,7 +10555,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_debian',` # pam_limits is used -@@ -227,21 +247,45 @@ +@@ -227,21 +250,45 @@ ') ') @@ -10519,7 +10602,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -283,7 +327,14 @@ +@@ -283,7 +330,14 @@ allow system_cronjob_t cron_var_lib_t:file manage_file_perms; files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file) @@ -10534,7 +10617,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # The entrypoint interface is not used as this is not # a regular entrypoint. Since crontab files are # not directly executed, crond must ensure that -@@ -314,9 +365,13 @@ +@@ -314,9 +368,13 @@ filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) @@ -10549,7 +10632,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_kernel_sysctls(system_cronjob_t) kernel_read_system_state(system_cronjob_t) -@@ -370,7 +425,8 @@ +@@ -370,7 +428,8 @@ init_read_utmp(system_cronjob_t) init_dontaudit_rw_utmp(system_cronjob_t) # prelink tells init to restart it self, we either need to allow or dontaudit @@ -10559,7 +10642,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(system_cronjob_t) -@@ -378,6 +434,7 @@ +@@ -378,6 +437,7 @@ libs_exec_ld_so(system_cronjob_t) logging_read_generic_logs(system_cronjob_t) @@ -10567,7 +10650,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(system_cronjob_t) miscfiles_read_localization(system_cronjob_t) -@@ -428,11 +485,20 @@ +@@ -428,11 +488,20 @@ ') optional_policy(` @@ -10588,7 +10671,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -460,8 +526,7 @@ +@@ -460,8 +529,7 @@ ') optional_policy(` @@ -10598,7 +10681,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -469,24 +534,17 @@ +@@ -469,24 +537,17 @@ ') optional_policy(` @@ -10607,16 +10690,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + unconfined_domain(crond_t) unconfined_domain(system_cronjob_t) - userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) - ') - +-') +- -ifdef(`TODO',` -ifdef(`mta.te', ` -allow system_cronjob_t mail_spool_t:lnk_file read; -allow mta_user_agent system_cronjob_t:fd use; -r_dir_file(system_mail_t, crond_tmp_t) --') + ') -') dnl end TODO -- + ######################################## # # User cronjobs local policy @@ -10626,7 +10709,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow cronjob_t self:process { signal_perms setsched }; allow cronjob_t self:fifo_file rw_fifo_file_perms; allow cronjob_t self:unix_stream_socket create_stream_socket_perms; -@@ -570,6 +628,9 @@ +@@ -570,6 +631,9 @@ userdom_manage_user_home_content_sockets(cronjob_t) #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) @@ -11606,8 +11689,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.3/policy/modules/services/devicekit.if --- nsaserefpolicy/policy/modules/services/devicekit.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/devicekit.if 2009-01-20 17:22:44.000000000 -0500 -@@ -0,0 +1,157 @@ ++++ serefpolicy-3.6.3/policy/modules/services/devicekit.if 2009-01-23 09:25:48.000000000 -0500 +@@ -0,0 +1,177 @@ + +## policy for devicekit + @@ -11765,10 +11848,30 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + devicekit_manage_var_run($1) + +') ++ ++######################################## ++## ++## Send to devicekit over a unix domain ++## datagram socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`devicekit_dgram_send',` ++ gen_require(` ++ type devicekit_t; ++ ') ++ ++ allow $1 devicekit_t:unix_dgram_socket sendto; ++') ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.3/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/devicekit.te 2009-01-20 17:10:23.000000000 -0500 -@@ -0,0 +1,71 @@ ++++ serefpolicy-3.6.3/policy/modules/services/devicekit.te 2009-01-23 15:17:57.000000000 -0500 +@@ -0,0 +1,114 @@ +policy_module(devicekit,1.0.0) + +######################################## @@ -11816,19 +11919,45 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# +# DeviceKit-Power local policy +# ++allow devicekit_power_t self:capability { sys_tty_config dac_override }; ++allow devicekit_power_t self:fifo_file rw_fifo_file_perms; +allow devicekit_power_t self:unix_dgram_socket create_socket_perms; + ++corecmd_exec_bin(devicekit_power_t) ++corecmd_exec_shell(devicekit_power_t) ++ ++consoletype_exec(devicekit_power_t) ++ +dev_rw_generic_usb_dev(devicekit_power_t) +dev_rw_netcontrol(devicekit_power_t) -+dev_read_sysfs(devicekit_power_t) ++dev_rw_sysfs(devicekit_power_t) + +files_read_etc_files(devicekit_power_t) ++files_read_usr_files(devicekit_t) + +fs_list_inotifyfs(devicekit_power_t) + ++auth_use_nsswitch(devicekit_power_t) ++ +miscfiles_read_localization(devicekit_power_t) + ++userdom_read_all_users_state(devicekit_power_t) ++ ++optional_policy(` ++ hal_domtrans_mac(devicekit_power_t) ++ hal_write_log(devicekit_power_t) ++ hal_manage_pid_dirs(devicekit_power_t) ++ hal_manage_pid_files(devicekit_power_t) ++ hal_dbus_chat(devicekit_power_t) ++') ++ ++optional_policy(` ++ cron_initrc_domtrans(devicekit_power_t) ++') ++ +optional_policy(` ++ polkit_domtrans_auth(devicekit_power_t) ++ polkit_read_lib(devicekit_power_t) + polkit_read_reload(devicekit_power_t) +') + @@ -11836,9 +11965,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + dbus_system_bus_client(devicekit_power_t) + allow devicekit_power_t devicekit_t:dbus send_msg; + allow devicekit_t devicekit_power_t:dbus send_msg; ++ + optional_policy(` + consolekit_dbus_chat(devicekit_power_t) + ') ++ ++ optional_policy(` ++ networkmanager_dbus_chat(devicekit_power_t) ++ ') ++ ++ optional_policy(` ++ rpm_dbus_chat(devicekit_power_t) ++ ') ++') ++ ++optional_policy(` ++ bootloader_domtrans(devicekit_power_t) ++') ++ ++optional_policy(` ++ vbetool_domtrans(devicekit_power_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.6.3/policy/modules/services/dhcp.if --- nsaserefpolicy/policy/modules/services/dhcp.if 2008-11-18 18:57:20.000000000 -0500 @@ -12735,8 +12881,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.3/policy/modules/services/hal.if --- nsaserefpolicy/policy/modules/services/hal.if 2008-11-19 11:51:44.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/hal.if 2009-01-20 15:29:07.000000000 -0500 -@@ -51,10 +51,7 @@ ++++ serefpolicy-3.6.3/policy/modules/services/hal.if 2009-01-23 14:59:53.000000000 -0500 +@@ -20,6 +20,24 @@ + + ######################################## + ## ++## Execute hal mac in the hal mac domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`hal_domtrans_mac',` ++ gen_require(` ++ type hald_mac_t, hald_mac_exec_t; ++ ') ++ ++ domtrans_pattern($1, hald_mac_exec_t, hald_mac_t) ++') ++ ++######################################## ++## + ## Get the attributes of a hal process. + ## + ## +@@ -51,10 +69,7 @@ type hald_t; ') @@ -12748,6 +12919,67 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## +@@ -340,3 +355,60 @@ + files_search_pids($1) + allow $1 hald_var_run_t:file rw_file_perms; + ') ++ ++######################################## ++## ++## Read/Write hald PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`hal_rw_pid_files',` ++ gen_require(` ++ type hald_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 hald_var_run_t:file rw_file_perms; ++') ++ ++######################################## ++## ++## Manage hald PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`hal_manage_pid_files',` ++ gen_require(` ++ type hald_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ manage_files_pattern($1, hald_var_run_t, hald_var_run_t) ++') ++ ++######################################## ++## ++## Manage hald PID dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`hal_manage_pid_dirs',` ++ gen_require(` ++ type hald_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ manage_dirs_pattern($1, hald_var_run_t, hald_var_run_t) ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.3/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.3/policy/modules/services/hal.te 2009-01-20 11:41:48.000000000 -0500 @@ -14776,7 +15008,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.6.3/policy/modules/services/nscd.if --- nsaserefpolicy/policy/modules/services/nscd.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/nscd.if 2009-01-19 13:10:02.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/nscd.if 2009-01-23 15:15:06.000000000 -0500 @@ -58,6 +58,42 @@ ######################################## @@ -16474,7 +16706,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:polkit_reload_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.6.3/policy/modules/services/polkit.if --- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/polkit.if 2009-01-19 14:47:07.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/polkit.if 2009-01-23 14:44:09.000000000 -0500 @@ -0,0 +1,241 @@ + +## policy for polkit_auth @@ -22605,7 +22837,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.3/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-01-21 16:14:47.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-01-23 10:14:45.000000000 -0500 @@ -34,6 +34,13 @@ ## @@ -23043,6 +23275,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Device rules allow x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell }; +@@ -622,7 +728,7 @@ + manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) + files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) + +-filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t,sock_file) ++#filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t,sock_file) + + manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) + manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) @@ -635,6 +741,15 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -27411,7 +27652,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.3/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/system/userdomain.if 2009-01-21 16:19:30.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/system/userdomain.if 2009-01-23 15:07:13.000000000 -0500 @@ -30,8 +30,9 @@ ') diff --git a/selinux-policy.spec b/selinux-policy.spec index e8c67e0..8c2d929 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.3 -Release: 7%{?dist} +Release: 8%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -444,6 +444,9 @@ exit 0 %endif %changelog +* Fri Jan 23 2009 Dan Walsh 3.6.3-8 +- Add policy to make dbus/nm-applet work + * Thu Jan 22 2009 Dan Walsh 3.6.3-7 - Remove polgen-ifgen from post and add trigger to policycoreutils-python