diff --git a/policy-20071130.patch b/policy-20071130.patch index e8061b7..14ced2c 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -5454,8 +5454,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-03-28 09:20:56.000000000 +0100 -@@ -0,0 +1,179 @@ ++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-03-29 12:28:11.000000000 +0100 +@@ -0,0 +1,183 @@ + +policy_module(nsplugin,1.0.0) + @@ -5587,6 +5587,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +') + +optional_policy(` ++ unconfined_execmem_signull(nsplugin_t) ++') ++ ++optional_policy(` + xserver_stream_connect_xdm_xserver(nsplugin_t) + xserver_xdm_rw_shm(nsplugin_t) + xserver_read_xdm_tmp_files(nsplugin_t) @@ -6817,7 +6821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.3.1/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2007-10-29 23:02:31.000000000 +0100 -+++ serefpolicy-3.3.1/policy/modules/kernel/devices.if 2008-02-26 20:19:56.000000000 +0100 ++++ serefpolicy-3.3.1/policy/modules/kernel/devices.if 2008-03-29 13:08:46.000000000 +0100 @@ -65,7 +65,7 @@ relabelfrom_dirs_pattern($1,device_t,device_node) @@ -7741,7 +7745,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.3.1/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-10-29 23:02:31.000000000 +0100 -+++ serefpolicy-3.3.1/policy/modules/kernel/kernel.if 2008-02-27 22:58:04.000000000 +0100 ++++ serefpolicy-3.3.1/policy/modules/kernel/kernel.if 2008-03-29 13:06:34.000000000 +0100 @@ -851,9 +851,8 @@ type proc_t, proc_afs_t; ') @@ -12733,7 +12737,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.3.1/policy/modules/services/dbus.te --- nsaserefpolicy/policy/modules/services/dbus.te 2007-12-19 11:32:17.000000000 +0100 -+++ serefpolicy-3.3.1/policy/modules/services/dbus.te 2008-03-19 19:48:13.000000000 +0100 ++++ serefpolicy-3.3.1/policy/modules/services/dbus.te 2008-03-29 13:18:18.000000000 +0100 @@ -9,6 +9,7 @@ # # Delcarations @@ -12811,7 +12815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus libs_use_ld_so(system_dbusd_t) libs_use_shared_libs(system_dbusd_t) -@@ -121,9 +139,26 @@ +@@ -121,9 +139,28 @@ ') optional_policy(` @@ -12834,8 +12838,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus +optional_policy(` + gen_require(` + type unconfined_dbusd_t; ++ attribute domain; + ') + unconfined_domain(unconfined_dbusd_t) ++ allow dbusd_unconfined domain:consolekit_t:dbus send_msg; +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.if serefpolicy-3.3.1/policy/modules/services/dcc.if @@ -13746,7 +13752,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.3.1/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2008-02-26 14:17:43.000000000 +0100 -+++ serefpolicy-3.3.1/policy/modules/services/dovecot.te 2008-02-26 14:29:22.000000000 +0100 ++++ serefpolicy-3.3.1/policy/modules/services/dovecot.te 2008-03-29 12:22:39.000000000 +0100 @@ -15,6 +15,12 @@ domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t) role system_r types dovecot_auth_t; @@ -13838,7 +13844,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove files_read_usr_symlinks(dovecot_auth_t) files_search_tmp(dovecot_auth_t) files_read_var_lib_files(dovecot_t) -@@ -184,5 +205,49 @@ +@@ -184,5 +205,53 @@ ') optional_policy(` @@ -13876,6 +13882,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove +files_read_etc_files(dovecot_deliver_t) +files_read_etc_runtime_files(dovecot_deliver_t) + ++auth_use_nsswitch(dovecot_deliver_t) ++ +libs_use_ld_so(dovecot_deliver_t) +libs_use_shared_libs(dovecot_deliver_t) + @@ -13885,6 +13893,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove + +dovecot_auth_stream_connect(dovecot_deliver_t) + ++userdom_priveleged_home_dir_manager(dovecot_deliver_t) ++ +optional_policy(` + mta_manage_spool(dovecot_deliver_t) ') @@ -23614,8 +23624,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.if serefpolicy-3.3.1/policy/modules/services/stunnel.if --- nsaserefpolicy/policy/modules/services/stunnel.if 2006-11-16 23:15:20.000000000 +0100 -+++ serefpolicy-3.3.1/policy/modules/services/stunnel.if 2008-03-18 19:31:14.000000000 +0100 -@@ -1 +1,24 @@ ++++ serefpolicy-3.3.1/policy/modules/services/stunnel.if 2008-03-29 17:44:16.000000000 +0100 +@@ -1 +1,25 @@ ## SSL Tunneling Proxy + +######################################## @@ -23639,6 +23649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stun + ') + + domtrans_pattern(stunnel_t,$2,$1) ++ allow $1 stunnel_t:tcp_socket rw_socket_perms; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.3.1/policy/modules/services/telnet.te --- nsaserefpolicy/policy/modules/services/telnet.te 2007-12-19 11:32:17.000000000 +0100 @@ -26939,7 +26950,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.3.1/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2008-02-26 14:17:43.000000000 +0100 -+++ serefpolicy-3.3.1/policy/modules/system/init.te 2008-03-12 13:37:59.000000000 +0100 ++++ serefpolicy-3.3.1/policy/modules/system/init.te 2008-03-29 13:15:04.000000000 +0100 @@ -10,6 +10,20 @@ # Declarations # @@ -27142,22 +27153,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -559,14 +622,6 @@ - ') +@@ -554,16 +617,12 @@ + dbus_read_config(initrc_t) - optional_policy(` + optional_policy(` +- networkmanager_dbus_chat(initrc_t) ++ consolekit_dbus_chat(initrc_t) + ') +-') + +-optional_policy(` - # /var/run/dovecot/login/ssl-parameters.dat is a hard link to - # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up - # the directory. But we do not want to allow this. - # The master process of dovecot will manage this file. - dovecot_dontaudit_unlink_lib_files(initrc_t) --') -- --optional_policy(` - ftp_read_config(initrc_t) ++ optional_policy(` ++ networkmanager_dbus_chat(initrc_t) ++ ') ') -@@ -639,12 +694,6 @@ + optional_policy(` +@@ -639,12 +698,6 @@ mta_read_config(initrc_t) mta_dontaudit_read_spool_symlinks(initrc_t) ') @@ -27170,7 +27187,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` ifdef(`distro_redhat',` -@@ -705,6 +754,9 @@ +@@ -705,6 +758,9 @@ # why is this needed: rpm_manage_db(initrc_t) @@ -27180,7 +27197,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -717,9 +769,11 @@ +@@ -717,9 +773,11 @@ squid_manage_logs(initrc_t) ') @@ -27195,7 +27212,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -738,6 +792,11 @@ +@@ -738,6 +796,11 @@ uml_setattr_util_sockets(initrc_t) ') @@ -27207,7 +27224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` unconfined_domain(initrc_t) -@@ -752,6 +811,10 @@ +@@ -752,6 +815,10 @@ ') optional_policy(` @@ -27218,7 +27235,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t vmware_read_system_config(initrc_t) vmware_append_system_config(initrc_t) ') -@@ -774,3 +837,4 @@ +@@ -774,3 +841,4 @@ optional_policy(` zebra_read_config(initrc_t) ') @@ -29744,7 +29761,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.3.1/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2007-11-16 21:30:49.000000000 +0100 -+++ serefpolicy-3.3.1/policy/modules/system/unconfined.if 2008-03-04 23:26:54.000000000 +0100 ++++ serefpolicy-3.3.1/policy/modules/system/unconfined.if 2008-03-29 12:26:49.000000000 +0100 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -29806,7 +29823,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') ######################################## -@@ -581,7 +587,6 @@ +@@ -372,6 +378,24 @@ + + ######################################## + ## ++## Send a SIGNULL signal to the unconfined execmem domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_execmem_signull',` ++ gen_require(` ++ type unconfined_execmem_t; ++ ') ++ ++ allow $1 unconfined_execmem_t:process signull; ++') ++ ++######################################## ++## + ## Send generic signals to the unconfined domain. + ## + ## +@@ -581,7 +605,6 @@ interface(`unconfined_dbus_connect',` gen_require(` type unconfined_t; @@ -29814,7 +29856,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') allow $1 unconfined_t:dbus acquire_svc; -@@ -589,7 +594,139 @@ +@@ -589,7 +612,120 @@ ######################################## ## @@ -29933,34 +29975,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +######################################## +## +## Allow apps to set rlimits on userdomain -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unconfined_set_rlimitnh',` -+ gen_require(` -+ type unconfined_t; -+ ') -+ -+ allow $1 unconfined_t:process rlimitinh; -+') -+ -+######################################## -+## -+## Allow the specified domain to read/write to -+## unconfined with a unix domain stream sockets. ## ## ## -@@ -597,41 +734,43 @@ +@@ -597,20 +733,18 @@ ## ## # -interface(`unconfined_read_home_content_files',` -+interface(`unconfined_rw_stream_sockets',` ++interface(`unconfined_set_rlimitnh',` gen_require(` - type unconfined_home_dir_t, unconfined_home_t; + type unconfined_t; @@ -29970,57 +29993,76 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf - allow $1 { unconfined_home_dir_t unconfined_home_t }:dir list_dir_perms; - read_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t) - read_lnk_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t) -+ allow $1 unconfined_t:unix_stream_socket { read write }; ++ allow $1 unconfined_t:process rlimitinh; ') ######################################## ## -## Read unconfined users temporary files. -+## Read/write unconfined tmpfs files. ++## Allow the specified domain to read/write to ++## unconfined with a unix domain stream sockets. ## -+## -+##

-+## Read/write unconfined tmpfs files. -+##

-+## ## ## - ## Domain allowed access. +@@ -618,31 +752,54 @@ ## ## # -interface(`unconfined_read_tmp_files',` -+interface(`unconfined_rw_tmpfs_files',` ++interface(`unconfined_rw_stream_sockets',` gen_require(` - type unconfined_tmp_t; -+ type unconfined_tmpfs_t; ++ type unconfined_t; ') - files_search_tmp($1) - allow $1 unconfined_tmp_t:dir list_dir_perms; - read_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t) - read_lnk_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t) -+ fs_search_tmpfs($1) -+ allow $1 unconfined_tmpfs_t:dir list_dir_perms; -+ rw_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t) -+ read_lnk_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t) ++ allow $1 unconfined_t:unix_stream_socket { read write }; ') ######################################## ## -## Write unconfined users temporary files. -+## Get the process group of unconfined. ++## Read/write unconfined tmpfs files. ## ++## ++##

++## Read/write unconfined tmpfs files. ++##

++## ## ## -@@ -639,10 +778,10 @@ + ## Domain allowed access. ## ## # -interface(`unconfined_write_tmp_files',` -+interface(`unconfined_getpgid',` ++interface(`unconfined_rw_tmpfs_files',` gen_require(` - type unconfined_tmp_t; ++ type unconfined_tmpfs_t; ++ ') ++ ++ fs_search_tmpfs($1) ++ allow $1 unconfined_tmpfs_t:dir list_dir_perms; ++ rw_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t) ++ read_lnk_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t) ++') ++ ++######################################## ++## ++## Get the process group of unconfined. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_getpgid',` ++ gen_require(` + type unconfined_t; ') @@ -30364,7 +30406,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-15 15:52:56.000000000 +0100 -+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-03-27 23:47:44.000000000 +0100 ++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-03-29 13:10:01.000000000 +0100 @@ -29,9 +29,14 @@ ') @@ -30381,7 +30423,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo corecmd_shell_entry_type($1_t) corecmd_bin_entry_type($1_t) domain_user_exemption_target($1_t) -@@ -45,66 +50,76 @@ +@@ -45,66 +50,78 @@ type $1_tty_device_t; term_user_tty($1_t,$1_tty_device_t) @@ -30442,6 +30484,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + kernel_dontaudit_getattr_unlabeled_sockets($1_usertype) + kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype) + kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype) ++ kernel_dontaudit_list_proc($1_usertype) # When the user domain runs ps, there will be a number of access # denials when ps tries to search /proc. Do not audit these denials. @@ -30491,23 +30534,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + + dev_dontaudit_getattr_all_blk_files($1_usertype) + dev_dontaudit_getattr_all_chr_files($1_usertype) -+ -+ auth_use_nsswitch($1_usertype) -+ -+ libs_use_ld_so($1_usertype) -+ libs_use_shared_libs($1_usertype) -+ libs_exec_ld_so($1_usertype) ++ dev_getattr_mtrr_dev($1_t) - miscfiles_read_localization($1_t) - miscfiles_read_certs($1_t) -- ++ auth_use_nsswitch($1_usertype) + - sysnet_read_config($1_t) ++ libs_use_ld_so($1_usertype) ++ libs_use_shared_libs($1_usertype) ++ libs_exec_ld_so($1_usertype) ++ + miscfiles_read_localization($1_usertype) + miscfiles_read_certs($1_usertype) tunable_policy(`allow_execmem',` # Allow loading DSOs that require executable stack. -@@ -115,6 +130,10 @@ +@@ -115,6 +132,10 @@ # Allow making the stack executable via mprotect. allow $1_t self:process execstack; ') @@ -30518,7 +30561,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -141,33 +160,13 @@ +@@ -141,33 +162,13 @@ # template(`userdom_ro_home_template',` gen_require(` @@ -30557,7 +30600,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ############################## # -@@ -175,13 +174,14 @@ +@@ -175,13 +176,14 @@ # # read-only home directory @@ -30579,7 +30622,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_list_home($1_t) tunable_policy(`use_nfs_home_dirs',` -@@ -231,30 +231,14 @@ +@@ -231,30 +233,14 @@ # template(`userdom_manage_home_template',` gen_require(` @@ -30616,7 +30659,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ############################## # -@@ -262,43 +246,46 @@ +@@ -262,43 +248,46 @@ # # full control of the home directory @@ -30691,7 +30734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -316,14 +303,20 @@ +@@ -316,14 +305,20 @@ ## # template(`userdom_exec_home_template',` @@ -30717,7 +30760,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -341,11 +334,10 @@ +@@ -341,11 +336,10 @@ ## # template(`userdom_poly_home_template',` @@ -30733,7 +30776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -369,18 +361,18 @@ +@@ -369,18 +363,18 @@ # template(`userdom_manage_tmp_template',` gen_require(` @@ -30762,7 +30805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -396,7 +388,13 @@ +@@ -396,7 +390,13 @@ ## # template(`userdom_exec_tmp_template',` @@ -30777,7 +30820,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -445,12 +443,12 @@ +@@ -445,12 +445,12 @@ type $1_tmpfs_t, $1_file_type; files_tmpfs_file($1_tmpfs_t) @@ -30796,7 +30839,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -510,10 +508,6 @@ +@@ -510,10 +510,6 @@ ## # template(`userdom_exec_generic_pgms_template',` @@ -30807,7 +30850,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo corecmd_exec_bin($1_t) ') -@@ -531,27 +525,20 @@ +@@ -531,27 +527,20 @@ ## # template(`userdom_basic_networking_template',` @@ -30847,7 +30890,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -568,30 +555,32 @@ +@@ -568,30 +557,32 @@ # template(`userdom_xwindows_client_template',` gen_require(` @@ -30896,7 +30939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -622,13 +611,7 @@ +@@ -622,13 +613,7 @@ ## ## The template for allowing the user to change roles. ## @@ -30911,7 +30954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). -@@ -692,183 +675,194 @@ +@@ -692,183 +677,194 @@ dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -31187,7 +31230,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') optional_policy(` -@@ -895,6 +889,8 @@ +@@ -895,6 +891,8 @@ ## # template(`userdom_login_user_template', ` @@ -31196,7 +31239,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_base_user_template($1) userdom_manage_home_template($1) -@@ -923,70 +919,68 @@ +@@ -923,70 +921,68 @@ allow $1_t self:context contains; @@ -31299,7 +31342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1020,9 +1014,6 @@ +@@ -1020,9 +1016,6 @@ domain_interactive_fd($1_t) typeattribute $1_devpts_t user_ptynode; @@ -31309,7 +31352,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo typeattribute $1_tty_device_t user_ttynode; ############################## -@@ -1031,16 +1022,29 @@ +@@ -1031,16 +1024,29 @@ # # privileged home directory writers @@ -31345,7 +31388,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -1068,6 +1072,13 @@ +@@ -1068,6 +1074,13 @@ userdom_restricted_user_template($1) @@ -31359,7 +31402,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_xwindows_client_template($1) ############################## -@@ -1076,14 +1087,16 @@ +@@ -1076,14 +1089,16 @@ # authlogin_per_role_template($1, $1_t, $1_r) @@ -31381,7 +31424,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -1091,32 +1104,29 @@ +@@ -1091,32 +1106,29 @@ selinux_get_enforce_mode($1_t) optional_policy(` @@ -31425,7 +31468,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1127,10 +1137,10 @@ +@@ -1127,10 +1139,10 @@ ## ## ##

@@ -31440,7 +31483,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## This template creates a user domain, types, and ## rules for the user's tty, pty, home directories, ## tmp, and tmpfs files. -@@ -1164,7 +1174,6 @@ +@@ -1164,7 +1176,6 @@ # Need the following rule to allow users to run vpnc corenet_tcp_bind_xserver_port($1_t) @@ -31448,7 +31491,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -1193,12 +1202,11 @@ +@@ -1193,12 +1204,11 @@ # and may change other protocols tunable_policy(`user_tcp_server',` corenet_tcp_bind_all_nodes($1_t) @@ -31463,7 +31506,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') # Run pppd in pppd_t by default for user -@@ -1207,7 +1215,27 @@ +@@ -1207,7 +1217,27 @@ ') optional_policy(` @@ -31492,7 +31535,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1284,8 +1312,6 @@ +@@ -1284,8 +1314,6 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -31501,6 +31544,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) +@@ -1307,8 +1335,6 @@ + + dev_getattr_generic_blk_files($1_t) + dev_getattr_generic_chr_files($1_t) +- # for lsof +- dev_getattr_mtrr_dev($1_t) + # Allow MAKEDEV to work + dev_create_all_blk_files($1_t) + dev_create_all_chr_files($1_t) @@ -1363,13 +1389,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 3209fc3..d9cc034 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.3.1 -Release: 25%{?dist} +Release: 26%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -387,6 +387,9 @@ exit 0 %endif %changelog +* Sat Mar 28 2008 Dan Walsh 3.3.1-26 +- Allow initrc_t to dbus chat with consolekit. + * Thu Mar 27 2008 Dan Walsh 3.3.1-25 - Additional access for nsplugin - Allow xdm setcap/getcap until pulseaudio is fixed