diff --git a/policy-20080710.patch b/policy-20080710.patch index 6c767e1..ca456d7 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -2381,8 +2381,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.5.12/policy/modules/apps/gpg.te --- nsaserefpolicy/policy/modules/apps/gpg.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/gpg.te 2008-10-14 15:00:15.000000000 -0400 -@@ -15,15 +15,253 @@ ++++ serefpolicy-3.5.12/policy/modules/apps/gpg.te 2008-10-15 10:23:21.000000000 -0400 +@@ -15,15 +15,255 @@ gen_tunable(gpg_agent_env_file, false) # Type for gpg or pgp executables. @@ -2420,7 +2420,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# + +allow gpg_t self:capability { ipc_lock setuid }; -+allow gpg_t gpg_t:process signal; ++allow gpg_t self:process signal; +# setrlimit is for ulimit -c 0 +allow gpg_t self:process { setrlimit getcap setcap setpgid }; + @@ -2435,6 +2435,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) +files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file }) + ++kernel_read_sysctl(gpg_t) ++ +unprivuser_home_dir_filetrans_home_content(gpg_t, file) +unprivuser_home_dir_filetrans(gpg_t, gpg_secret_t, dir) +unprivuser_manage_home_content_files(gpg_t) @@ -4282,8 +4284,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.5.12/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/policy/modules/apps/nsplugin.te 2008-10-14 15:00:15.000000000 -0400 -@@ -0,0 +1,246 @@ ++++ serefpolicy-3.5.12/policy/modules/apps/nsplugin.te 2008-10-15 16:26:12.000000000 -0400 +@@ -0,0 +1,247 @@ + +policy_module(nsplugin, 1.0.0) + @@ -4381,6 +4383,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +kernel_read_kernel_sysctls(nsplugin_t) +kernel_read_system_state(nsplugin_t) + ++files_dontaudit_list_home(nsplugin_t) +files_read_usr_files(nsplugin_t) +files_read_etc_files(nsplugin_t) +files_read_config_files(nsplugin_t) @@ -5736,6 +5739,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.5.12/policy/modules/apps/wine.fc +--- nsaserefpolicy/policy/modules/apps/wine.fc 2008-08-07 11:15:02.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/wine.fc 2008-10-15 13:39:34.000000000 -0400 +@@ -2,3 +2,4 @@ + + /opt/cxoffice/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0) + /opt/picasa/wine/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0) ++/opt/google/picasa(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.5.12/policy/modules/apps/wine.if --- nsaserefpolicy/policy/modules/apps/wine.if 2008-08-07 11:15:02.000000000 -0400 +++ serefpolicy-3.5.12/policy/modules/apps/wine.if 2008-10-14 15:00:15.000000000 -0400 @@ -6966,7 +6977,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /etc/localtime -l gen_context(system_u:object_r:etc_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.5.12/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/kernel/files.if 2008-10-14 15:00:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/kernel/files.if 2008-10-15 16:25:10.000000000 -0400 @@ -110,6 +110,11 @@ ## # @@ -12745,8 +12756,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -') dnl end TODO diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.5.12/policy/modules/services/cups.fc --- nsaserefpolicy/policy/modules/services/cups.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/cups.fc 2008-10-14 15:00:15.000000000 -0400 -@@ -8,24 +8,33 @@ ++++ serefpolicy-3.5.12/policy/modules/services/cups.fc 2008-10-15 08:41:30.000000000 -0400 +@@ -8,24 +8,35 @@ /etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -12761,6 +12772,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++ /usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) +/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0) @@ -12783,7 +12796,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) /usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0) /usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0) -@@ -33,7 +42,7 @@ +@@ -33,7 +44,7 @@ /usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) /usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -12792,7 +12805,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -@@ -43,10 +52,18 @@ +@@ -43,10 +54,18 @@ /var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) @@ -15412,8 +15425,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.fc serefpolicy-3.5.12/policy/modules/services/lpd.fc --- nsaserefpolicy/policy/modules/services/lpd.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/lpd.fc 2008-10-14 15:00:15.000000000 -0400 -@@ -22,11 +22,14 @@ ++++ serefpolicy-3.5.12/policy/modules/services/lpd.fc 2008-10-15 08:33:26.000000000 -0400 +@@ -3,6 +3,8 @@ + # + /dev/printer -s gen_context(system_u:object_r:printer_t,s0) + ++/opt/gutenprint/s?bin(/.*)? gen_context(system_u:object_r:lpr_exec_t,s0) ++ + # + # /usr + # +@@ -22,11 +24,15 @@ /usr/sbin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0) /usr/sbin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0) @@ -15428,6 +15450,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/spool/cups-pdf(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh) /var/spool/lpd(/.*)? gen_context(system_u:object_r:print_spool_t,s0) /var/run/lprng(/.*)? gen_context(system_u:object_r:lpd_var_run_t,s0) ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.5.12/policy/modules/services/mailman.fc --- nsaserefpolicy/policy/modules/services/mailman.fc 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.5.12/policy/modules/services/mailman.fc 2008-10-14 15:00:15.000000000 -0400 @@ -21131,7 +21154,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.5.12/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/sendmail.te 2008-10-14 15:00:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/sendmail.te 2008-10-14 21:46:27.000000000 -0400 @@ -20,13 +20,17 @@ mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) @@ -21220,12 +21243,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` clamav_search_lib(sendmail_t) ++ clamav_stream_connect(sendmail_t) ') optional_policy(` - postfix_exec_master(sendmail_t) + cyrus_stream_connect(sendmail_t) -+ clamav_stream_connect(sendmail_t) +') + +optional_policy(` @@ -21573,7 +21596,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.5.12/policy/modules/services/snmp.te --- nsaserefpolicy/policy/modules/services/snmp.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/snmp.te 2008-10-14 15:00:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/snmp.te 2008-10-15 14:52:54.000000000 -0400 @@ -9,6 +9,9 @@ type snmpd_exec_t; init_daemon_domain(snmpd_t, snmpd_exec_t) @@ -23228,7 +23251,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.5.12/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/xserver.fc 2008-10-14 15:00:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/xserver.fc 2008-10-15 10:01:13.000000000 -0400 @@ -1,13 +1,15 @@ # # HOME_DIR @@ -23264,7 +23287,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /opt # -@@ -58,7 +55,8 @@ +@@ -58,9 +55,11 @@ # /usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) @@ -23273,8 +23296,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/sbin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) ++/usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0) -@@ -89,16 +87,25 @@ + /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0) + /usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0) +@@ -89,16 +88,25 @@ /var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) @@ -23304,7 +23330,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.12/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2008-10-08 19:00:27.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/xserver.if 2008-10-14 21:00:40.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/xserver.if 2008-10-15 15:53:52.000000000 -0400 @@ -16,6 +16,7 @@ gen_require(` type xkb_var_lib_t, xserver_exec_t, xserver_log_t; @@ -23483,21 +23509,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - # - # $1_xauth_t Local policy - # -- + - allow $1_xauth_t self:process signal; - allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms; -- ++ domtrans_pattern($2, xauth_exec_t, xauth_t) ++ allow $2 xauth_t:process signal; + - allow $1_xauth_t $1_xauth_home_t:file manage_file_perms; - userdom_user_home_dir_filetrans($1, $1_xauth_t, $1_xauth_home_t,file) - - manage_dirs_pattern($1_xauth_t, $1_xauth_tmp_t, $1_xauth_tmp_t) - manage_files_pattern($1_xauth_t, $1_xauth_tmp_t, $1_xauth_tmp_t) - files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir }) - +- - domtrans_pattern($2, xauth_exec_t, $1_xauth_t) -+ domtrans_pattern($2, xauth_exec_t, xauth_t) -+ allow $2 xauth_t:process signal; - +- - allow $2 $1_xauth_t:process signal; + allow $2 xauth_home_t:file manage_file_perms; + allow $2 xauth_home_t:file { relabelfrom relabelto }; @@ -23515,7 +23541,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - - files_read_etc_files($1_xauth_t) - files_search_pids($1_xauth_t) -- ++ ps_process_pattern($2,xauth_t) + - fs_getattr_xattr_fs($1_xauth_t) - fs_search_auto_mountpoints($1_xauth_t) - @@ -23533,8 +23560,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_files($1_xauth_t) - ') -+ ps_process_pattern($2,xauth_t) - +- - tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_files($1_xauth_t) - ') @@ -23571,7 +23597,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_search_auto_mountpoints($1_iceauth_t) -@@ -473,34 +417,12 @@ +@@ -473,33 +417,12 @@ # # Device rules @@ -23581,7 +23607,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1_xserver_t { input_xevent_t $1_input_xevent_type }:x_event send; + allow $2 $1_input_xevent_type:x_event send; allow $1_xserver_t { $1_rootwindow_t $1_x_domain }:x_drawable send; - +- - # manage: xhost X11:ChangeHosts - # freeze: metacity X11:GrabKey - # force_cursor: metacity X11:GrabPointer @@ -23604,11 +23630,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - - # setattr: metacity X11:InstallColormap - allow $2 $1_xserver_t:x_screen { saver_setattr saver_getattr setattr }; -- ++ allow $2 xdm_rootwindow_t:x_colormap remove_color; + # xrdb X11:ChangeProperty prop=RESOURCE_MANAGER allow $2 info_xproperty_t:x_property { create write append }; - -@@ -616,7 +538,7 @@ +@@ -616,7 +539,7 @@ # refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.') gen_require(` type xdm_t, xdm_tmp_t; @@ -23617,7 +23643,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') allow $2 self:shm create_shm_perms; -@@ -624,8 +546,8 @@ +@@ -624,8 +547,8 @@ allow $2 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file @@ -23628,7 +23654,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; -@@ -649,13 +571,213 @@ +@@ -649,13 +572,210 @@ xserver_read_xdm_tmp_files($2) @@ -23670,8 +23696,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + attribute x_domain; + type $1_xserver_t; +# type $2_input_xevent_t; -+') -+ + ') + + allow $1_xserver_t self:netlink_selinux_socket create_socket_perms; + +# typeattribute $2_input_xevent_t $1_input_xevent_type; @@ -23708,7 +23734,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + # write: gnome-settings-daemon RANDR:SelectInput + # setattr: gnome-settings-daemon X11:GrabKey + # manage: metacity X11:ChangeWindowAttributes -+ allow $3 $1_rootwindow_t:x_drawable { read show write manage setattr get_property blend create add_child write receive set_property }; ++ allow $3 $1_rootwindow_t:x_drawable { show write manage setattr get_property blend create add_child write receive set_property }; + + # setattr: metacity X11:InstallColormap + allow $3 $1_xserver_t:x_screen { getattr saver_setattr saver_getattr setattr }; @@ -23808,12 +23834,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $2 manage_xevent_t:x_event receive; + allow $2 manage_xevent_t:x_synthetic_event { send receive }; + -+ allow $2 output_xext_t:x_extension { query use }; -+ allow $2 debug_xext_t:x_extension { query use }; -+ allow $2 screensaver_xext_t:x_extension { query use }; ++ allow $2 xextension_type:x_extension { query use }; + + allow $2 property_xevent_t:x_event receive; -+ allow $2 shmem_xext_t:x_extension { query use }; + +# allow $2 $1_client_xevent_t:x_synthetic_event receive; +# allow $2 $1_client_xevent_t:x_event receive; @@ -23840,13 +23863,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +# xserver_use($1, $1, $2) + xserver_use(xdm, $1, $2) - ') - ++') ++ + ####################################### ## ## Interface to provide X object permissions on a given X server to -@@ -682,7 +804,7 @@ +@@ -682,7 +802,7 @@ # template(`xserver_common_x_domain_template',` gen_require(` @@ -23855,7 +23878,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type xproperty_t, info_xproperty_t, clipboard_xproperty_t; type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t; type xevent_t, client_xevent_t; -@@ -691,7 +813,6 @@ +@@ -691,7 +811,6 @@ attribute x_server_domain, x_domain; attribute xproperty_type; attribute xevent_type, xextension_type; @@ -23863,7 +23886,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol class x_drawable all_x_drawable_perms; class x_screen all_x_screen_perms; -@@ -708,6 +829,7 @@ +@@ -708,6 +827,7 @@ class x_resource all_x_resource_perms; class x_event all_x_event_perms; class x_synthetic_event all_x_synthetic_event_perms; @@ -23871,7 +23894,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ############################## -@@ -715,20 +837,22 @@ +@@ -715,20 +835,22 @@ # Declarations # @@ -23897,7 +23920,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # # Local Policy -@@ -746,7 +870,7 @@ +@@ -746,7 +868,7 @@ allow $3 x_server_domain:x_server getattr; # everyone can do override-redirect windows. # this could be used to spoof labels @@ -23906,7 +23929,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # everyone can receive management events on the root window # allows to know when new windows appear, among other things allow $3 manage_xevent_t:x_event receive; -@@ -755,36 +879,30 @@ +@@ -755,36 +877,30 @@ # can read server-owned resources allow $3 x_server_domain:x_resource read; # can mess with own clients @@ -23953,7 +23976,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # X Input # can receive own events -@@ -811,6 +929,12 @@ +@@ -811,6 +927,12 @@ allow $3 manage_xevent_t:x_synthetic_event send; allow $3 client_xevent_t:x_synthetic_event send; @@ -23966,7 +23989,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # X Selections # can use the clipboard allow $3 clipboard_xselection_t:x_selection { getattr setattr read }; -@@ -819,13 +943,15 @@ +@@ -819,13 +941,15 @@ # Other X Objects # can create and use cursors @@ -23986,7 +24009,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined($3), -@@ -885,24 +1011,17 @@ +@@ -885,24 +1009,17 @@ # template(`xserver_user_x_domain_template',` gen_require(` @@ -24018,7 +24041,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow connections to X server. files_search_tmp($3) -@@ -917,16 +1036,12 @@ +@@ -917,16 +1034,16 @@ xserver_rw_session_template($1, $3, $4) xserver_use_user_fonts($1, $3) @@ -24034,11 +24057,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - ') + allow $3 xdm_xproperty_t:x_property { write read }; + allow $3 xdm_xserver_t:x_screen { saver_hide saver_show }; ++ ++# allow $3 $1_rootwindow_t:x_drawable read; ++ allow $3 xdm_rootwindow_t:x_drawable read; ++ + xserver_use_xdm($3) ') ######################################## -@@ -958,26 +1073,43 @@ +@@ -958,26 +1075,43 @@ # template(`xserver_use_user_fonts',` gen_require(` @@ -24089,7 +24116,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Transition to a user Xauthority domain. ## ## -@@ -1003,10 +1135,77 @@ +@@ -1003,10 +1137,77 @@ # template(`xserver_domtrans_user_xauth',` gen_require(` @@ -24128,8 +24155,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +template(`xserver_read_user_xauth',` + gen_require(` + type xauth_home_t; -+ ') -+ + ') + +- domtrans_pattern($2, xauth_exec_t, $1_xauth_t) + allow $2 xauth_home_t:file { getattr read }; +') + @@ -24161,15 +24189,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +template(`xserver_read_user_iceauth',` + gen_require(` + type iceauth_home_t; - ') - -- domtrans_pattern($2, xauth_exec_t, $1_xauth_t) ++ ') ++ + # Read .Iceauthority file + allow $2 iceauth_home_t:file { getattr read }; ') ######################################## -@@ -1036,10 +1235,10 @@ +@@ -1036,10 +1237,10 @@ # template(`xserver_user_home_dir_filetrans_user_xauth',` gen_require(` @@ -24182,7 +24209,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1225,6 +1424,25 @@ +@@ -1225,6 +1426,25 @@ ######################################## ## @@ -24208,7 +24235,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read xdm-writable configuration files. ## ## -@@ -1279,6 +1497,7 @@ +@@ -1279,6 +1499,7 @@ files_search_tmp($1) allow $1 xdm_tmp_t:dir list_dir_perms; create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t) @@ -24216,7 +24243,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1297,7 +1516,7 @@ +@@ -1297,7 +1518,7 @@ ') files_search_pids($1) @@ -24225,7 +24252,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1320,6 +1539,24 @@ +@@ -1320,6 +1541,24 @@ ######################################## ## @@ -24250,7 +24277,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Execute the X server in the XDM X server domain. ## ## -@@ -1330,15 +1567,47 @@ +@@ -1330,15 +1569,47 @@ # interface(`xserver_domtrans_xdm_xserver',` gen_require(` @@ -24299,7 +24326,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -1488,7 +1757,7 @@ +@@ -1488,7 +1759,7 @@ type xdm_xserver_tmp_t; ') @@ -24308,7 +24335,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1680,6 +1949,26 @@ +@@ -1680,6 +1951,26 @@ ######################################## ## @@ -24335,7 +24362,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## xdm xserver RW shared memory socket. ## ## -@@ -1698,6 +1987,24 @@ +@@ -1698,6 +1989,24 @@ ######################################## ## @@ -24360,7 +24387,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain complete control over the ## display. -@@ -1710,8 +2017,157 @@ +@@ -1710,8 +2019,157 @@ # interface(`xserver_unconfined',` gen_require(` @@ -26232,8 +26259,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto }; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.12/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2008-08-13 15:24:56.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/libraries.fc 2008-10-14 15:00:15.000000000 -0400 -@@ -60,12 +60,15 @@ ++++ serefpolicy-3.5.12/policy/modules/system/libraries.fc 2008-10-15 08:59:49.000000000 -0400 +@@ -60,12 +61,15 @@ # # /opt # @@ -26249,7 +26276,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_gentoo',` # despite the extensions, they are actually libs /opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:lib_t,s0) -@@ -84,7 +87,8 @@ +@@ -84,7 +88,8 @@ ifdef(`distro_redhat',` /opt/Adobe(/.*?)/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -26259,7 +26286,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /opt/cisco-vpnclient/lib/libvpnapi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/cxoffice/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -133,6 +137,7 @@ +@@ -123,6 +128,7 @@ + /usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/fglrx/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +@@ -133,6 +139,7 @@ /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -26267,7 +26302,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -168,7 +173,8 @@ +@@ -168,7 +175,8 @@ # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php /usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -26277,7 +26312,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -187,6 +193,7 @@ +@@ -187,6 +195,7 @@ /usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -26285,7 +26320,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -246,7 +253,7 @@ +@@ -246,7 +255,7 @@ # Flash plugin, Macromedia HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -26294,7 +26329,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -267,6 +274,8 @@ +@@ -267,6 +276,8 @@ /usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -26303,7 +26338,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Java, Sun Microsystems (JPackage SRPM) /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -291,6 +300,8 @@ +@@ -291,6 +302,8 @@ /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -26312,7 +26347,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') dnl end distro_redhat # -@@ -310,3 +321,15 @@ +@@ -310,3 +323,15 @@ /var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) @@ -26501,6 +26536,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - logging_admin_syslog($1, $2) + logging_admin_syslog($1, $2, $3) ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.5.12/policy/modules/system/logging.te +--- nsaserefpolicy/policy/modules/system/logging.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/logging.te 2008-10-15 15:31:45.000000000 -0400 +@@ -221,7 +221,7 @@ + # audit dispatcher local policy + # + +-allow audisp_t self:capability sys_nice; ++allow audisp_t self:capability { dac_override sys_nice }; + allow audisp_t self:process setsched; + allow audisp_t self:fifo_file rw_file_perms; + allow audisp_t self:unix_stream_socket create_stream_socket_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.5.12/policy/modules/system/lvm.fc --- nsaserefpolicy/policy/modules/system/lvm.fc 2008-08-07 11:15:12.000000000 -0400 +++ serefpolicy-3.5.12/policy/modules/system/lvm.fc 2008-10-14 15:00:15.000000000 -0400 @@ -28250,7 +28297,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.5.12/policy/modules/system/unconfined.fc --- nsaserefpolicy/policy/modules/system/unconfined.fc 2008-09-11 16:42:49.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/unconfined.fc 2008-10-14 15:00:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/unconfined.fc 2008-10-15 08:43:45.000000000 -0400 @@ -2,15 +2,27 @@ # e.g.: # /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) @@ -28290,7 +28337,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.5.12/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2008-09-11 16:42:49.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/unconfined.if 2008-10-14 15:00:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/unconfined.if 2008-10-15 08:50:25.000000000 -0400 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -28621,7 +28668,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.5.12/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/unconfined.te 2008-10-14 15:12:41.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/unconfined.te 2008-10-15 08:45:32.000000000 -0400 @@ -6,35 +6,76 @@ # Declarations # @@ -28916,7 +28963,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -229,14 +293,35 @@ +@@ -229,14 +293,43 @@ allow unconfined_execmem_t self:process { execstack execmem }; unconfined_domain_noaudit(unconfined_execmem_t) @@ -28941,7 +28988,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +optional_policy(` + xserver_rw_xdm_xserver_shm(unconfined_execmem_t) - ') ++') + +######################################## +# @@ -28954,6 +29001,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# Allow SELinux aware applications to request rpm_script execution +rpm_transition_script(unconfined_notrans_t) +domain_ptrace_all_domains(unconfined_notrans_t) ++ ++optional_policy(` ++ gen_require(` ++ type mplayer_exec_t; ++ ') ++ domtrans_pattern(unconfined_t, mplayer_exec_t, unconfined_execmem_t) + ') ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.5.12/policy/modules/system/userdomain.fc --- nsaserefpolicy/policy/modules/system/userdomain.fc 2008-08-07 11:15:12.000000000 -0400 +++ serefpolicy-3.5.12/policy/modules/system/userdomain.fc 2008-10-14 15:00:15.000000000 -0400 @@ -28969,7 +29024,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.12/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/userdomain.if 2008-10-14 15:00:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/userdomain.if 2008-10-15 10:27:06.000000000 -0400 @@ -28,10 +28,14 @@ class context contains; ') @@ -29365,7 +29420,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -369,18 +359,18 @@ +@@ -369,18 +359,19 @@ # template(`userdom_manage_tmp_template',` gen_require(` @@ -29391,10 +29446,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_sock_files_pattern($1_usertype, user_tmp_t, user_tmp_t) + manage_fifo_files_pattern($1_usertype, user_tmp_t, user_tmp_t) + files_tmp_filetrans($1_usertype, user_tmp_t, { dir file lnk_file sock_file fifo_file }) ++ relabel_files_pattern($1_usertype, user_tmp_t, user_tmp_t) ') ####################################### -@@ -396,7 +386,13 @@ +@@ -396,7 +387,13 @@ ## # template(`userdom_exec_tmp_template',` @@ -29409,7 +29465,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -439,18 +435,15 @@ +@@ -439,18 +436,15 @@ # template(`userdom_manage_tmpfs_template',` gen_require(` @@ -29434,7 +29490,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -468,17 +461,17 @@ +@@ -468,17 +462,17 @@ # template(`userdom_untrusted_content_template',` gen_require(` @@ -29455,7 +29511,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_tmp_file($1_untrusted_content_tmp_t) # Allow user to relabel untrusted content -@@ -510,10 +503,6 @@ +@@ -510,10 +504,6 @@ ## # template(`userdom_exec_generic_pgms_template',` @@ -29466,7 +29522,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin($1_t) ') -@@ -531,34 +520,20 @@ +@@ -531,34 +521,20 @@ ## # template(`userdom_basic_networking_template',` @@ -29513,7 +29569,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -575,30 +550,33 @@ +@@ -575,30 +551,33 @@ # template(`userdom_xwindows_client_template',` gen_require(` @@ -29563,7 +29619,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -629,13 +607,7 @@ +@@ -629,13 +608,7 @@ ## ## The template for allowing the user to change roles. ## @@ -29578,7 +29634,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). -@@ -699,188 +671,202 @@ +@@ -699,188 +672,202 @@ dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -29862,7 +29918,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -902,9 +888,7 @@ +@@ -902,9 +889,7 @@ ## # template(`userdom_login_user_template', ` @@ -29873,7 +29929,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_base_user_template($1) -@@ -930,74 +914,77 @@ +@@ -930,74 +915,77 @@ allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap }; dontaudit $1_t self:process setrlimit; @@ -29984,7 +30040,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1031,9 +1018,6 @@ +@@ -1031,9 +1019,6 @@ domain_interactive_fd($1_t) typeattribute $1_devpts_t user_ptynode; @@ -29994,7 +30050,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol typeattribute $1_tty_device_t user_ttynode; ############################## -@@ -1042,12 +1026,25 @@ +@@ -1042,12 +1027,25 @@ # # privileged home directory writers @@ -30026,7 +30082,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` loadkeys_run($1_t,$1_r,$1_tty_device_t) -@@ -1087,14 +1084,16 @@ +@@ -1087,14 +1085,16 @@ # authlogin_per_role_template($1, $1_t, $1_r) @@ -30048,7 +30104,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -1102,28 +1101,23 @@ +@@ -1102,28 +1102,23 @@ selinux_get_enforce_mode($1_t) optional_policy(` @@ -30082,7 +30138,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1134,8 +1128,7 @@ +@@ -1134,8 +1129,7 @@ ## ## ##

@@ -30092,7 +30148,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ##

##

## This template creates a user domain, types, and -@@ -1167,11 +1160,10 @@ +@@ -1167,11 +1161,10 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -30105,7 +30161,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -1189,36 +1181,49 @@ +@@ -1189,36 +1182,49 @@ ') ') @@ -30168,7 +30224,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1295,8 +1300,6 @@ +@@ -1295,8 +1301,6 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -30177,7 +30233,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1318,8 +1321,6 @@ +@@ -1318,8 +1322,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -30186,7 +30242,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1374,13 +1375,6 @@ +@@ -1374,13 +1376,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -30200,7 +30256,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` postgresql_unconfined($1_t) ') -@@ -1432,6 +1426,7 @@ +@@ -1432,6 +1427,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -30208,7 +30264,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1461,10 +1456,6 @@ +@@ -1461,10 +1457,6 @@ seutil_run_semanage($1,$2,$3) seutil_run_setfiles($1, $2, $3) @@ -30219,7 +30275,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` aide_run($1,$2, $3) ') -@@ -1484,6 +1475,14 @@ +@@ -1484,6 +1476,14 @@ optional_policy(` netlabel_run_mgmt($1,$2, $3) ') @@ -30234,7 +30290,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1741,11 +1740,15 @@ +@@ -1741,11 +1741,15 @@ # template(`userdom_user_home_content',` gen_require(` @@ -30253,7 +30309,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1841,11 +1844,11 @@ +@@ -1841,11 +1845,11 @@ # template(`userdom_search_user_home_dirs',` gen_require(` @@ -30267,7 +30323,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1875,11 +1878,11 @@ +@@ -1875,11 +1879,11 @@ # template(`userdom_list_user_home_dirs',` gen_require(` @@ -30281,7 +30337,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1923,12 +1926,12 @@ +@@ -1923,12 +1927,12 @@ # template(`userdom_user_home_domtrans',` gen_require(` @@ -30297,7 +30353,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1958,10 +1961,11 @@ +@@ -1958,10 +1962,11 @@ # template(`userdom_dontaudit_list_user_home_dirs',` gen_require(` @@ -30311,7 +30367,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1993,11 +1997,47 @@ +@@ -1993,11 +1998,47 @@ # template(`userdom_manage_user_home_content_dirs',` gen_require(` @@ -30361,7 +30417,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2029,10 +2069,10 @@ +@@ -2029,10 +2070,10 @@ # template(`userdom_dontaudit_setattr_user_home_content_files',` gen_require(` @@ -30374,7 +30430,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2062,11 +2102,11 @@ +@@ -2062,11 +2103,11 @@ # template(`userdom_read_user_home_content_files',` gen_require(` @@ -30388,7 +30444,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2096,11 +2136,11 @@ +@@ -2096,11 +2137,11 @@ # template(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -30403,7 +30459,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2130,10 +2170,14 @@ +@@ -2130,10 +2171,14 @@ # template(`userdom_dontaudit_write_user_home_content_files',` gen_require(` @@ -30420,7 +30476,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2163,11 +2207,11 @@ +@@ -2163,11 +2208,11 @@ # template(`userdom_read_user_home_content_symlinks',` gen_require(` @@ -30434,7 +30490,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2197,11 +2241,11 @@ +@@ -2197,11 +2242,11 @@ # template(`userdom_exec_user_home_content_files',` gen_require(` @@ -30448,7 +30504,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2231,10 +2275,10 @@ +@@ -2231,10 +2276,10 @@ # template(`userdom_dontaudit_exec_user_home_content_files',` gen_require(` @@ -30461,7 +30517,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2266,12 +2310,12 @@ +@@ -2266,12 +2311,12 @@ # template(`userdom_manage_user_home_content_files',` gen_require(` @@ -30477,7 +30533,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2303,10 +2347,10 @@ +@@ -2303,10 +2348,10 @@ # template(`userdom_dontaudit_manage_user_home_content_dirs',` gen_require(` @@ -30490,7 +30546,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2338,12 +2382,12 @@ +@@ -2338,12 +2383,12 @@ # template(`userdom_manage_user_home_content_symlinks',` gen_require(` @@ -30506,7 +30562,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2375,12 +2419,12 @@ +@@ -2375,12 +2420,12 @@ # template(`userdom_manage_user_home_content_pipes',` gen_require(` @@ -30522,7 +30578,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2412,12 +2456,12 @@ +@@ -2412,12 +2457,12 @@ # template(`userdom_manage_user_home_content_sockets',` gen_require(` @@ -30538,7 +30594,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2462,11 +2506,11 @@ +@@ -2462,11 +2507,11 @@ # template(`userdom_user_home_dir_filetrans',` gen_require(` @@ -30552,7 +30608,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2511,11 +2555,11 @@ +@@ -2511,11 +2556,11 @@ # template(`userdom_user_home_content_filetrans',` gen_require(` @@ -30566,7 +30622,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2555,11 +2599,11 @@ +@@ -2555,11 +2600,11 @@ # template(`userdom_user_home_dir_filetrans_user_home_content',` gen_require(` @@ -30580,7 +30636,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2589,11 +2633,11 @@ +@@ -2589,11 +2634,11 @@ # template(`userdom_write_user_tmp_sockets',` gen_require(` @@ -30594,7 +30650,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2623,11 +2667,11 @@ +@@ -2623,11 +2668,11 @@ # template(`userdom_list_user_tmp',` gen_require(` @@ -30608,7 +30664,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2659,10 +2703,10 @@ +@@ -2659,10 +2704,10 @@ # template(`userdom_dontaudit_list_user_tmp',` gen_require(` @@ -30621,7 +30677,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2694,10 +2738,10 @@ +@@ -2694,10 +2739,10 @@ # template(`userdom_dontaudit_manage_user_tmp_dirs',` gen_require(` @@ -30634,7 +30690,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2727,12 +2771,12 @@ +@@ -2727,12 +2772,12 @@ # template(`userdom_read_user_tmp_files',` gen_require(` @@ -30650,7 +30706,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2764,10 +2808,10 @@ +@@ -2764,10 +2809,10 @@ # template(`userdom_dontaudit_read_user_tmp_files',` gen_require(` @@ -30663,7 +30719,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2799,10 +2843,10 @@ +@@ -2799,10 +2844,10 @@ # template(`userdom_dontaudit_append_user_tmp_files',` gen_require(` @@ -30676,7 +30732,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2832,12 +2876,12 @@ +@@ -2832,12 +2877,12 @@ # template(`userdom_rw_user_tmp_files',` gen_require(` @@ -30692,7 +30748,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2869,10 +2913,10 @@ +@@ -2869,10 +2914,10 @@ # template(`userdom_dontaudit_manage_user_tmp_files',` gen_require(` @@ -30705,7 +30761,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2904,12 +2948,12 @@ +@@ -2904,12 +2949,12 @@ # template(`userdom_read_user_tmp_symlinks',` gen_require(` @@ -30721,7 +30777,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2941,11 +2985,11 @@ +@@ -2941,11 +2986,11 @@ # template(`userdom_manage_user_tmp_dirs',` gen_require(` @@ -30735,7 +30791,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2977,11 +3021,11 @@ +@@ -2977,11 +3022,11 @@ # template(`userdom_manage_user_tmp_files',` gen_require(` @@ -30749,7 +30805,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3013,11 +3057,11 @@ +@@ -3013,11 +3058,11 @@ # template(`userdom_manage_user_tmp_symlinks',` gen_require(` @@ -30763,7 +30819,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3049,11 +3093,11 @@ +@@ -3049,11 +3094,11 @@ # template(`userdom_manage_user_tmp_pipes',` gen_require(` @@ -30777,7 +30833,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3085,11 +3129,11 @@ +@@ -3085,11 +3130,11 @@ # template(`userdom_manage_user_tmp_sockets',` gen_require(` @@ -30791,7 +30847,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3134,10 +3178,10 @@ +@@ -3134,10 +3179,10 @@ # template(`userdom_user_tmp_filetrans',` gen_require(` @@ -30804,7 +30860,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_search_tmp($2) ') -@@ -3178,19 +3222,19 @@ +@@ -3178,19 +3223,19 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -30828,7 +30884,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ##

##

## This is a templated interface, and should only -@@ -3211,13 +3255,13 @@ +@@ -3211,13 +3256,13 @@ # template(`userdom_rw_user_tmpfs_files',` gen_require(` @@ -30846,7 +30902,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4616,11 +4660,11 @@ +@@ -4616,11 +4661,11 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` @@ -30860,7 +30916,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4640,6 +4684,14 @@ +@@ -4640,6 +4685,14 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; @@ -30875,7 +30931,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4677,6 +4729,8 @@ +@@ -4677,6 +4730,8 @@ ') dontaudit $1 { home_dir_type home_type }:dir search_dir_perms; @@ -30884,7 +30940,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4721,6 +4775,25 @@ +@@ -4721,6 +4776,25 @@ ######################################## ##

@@ -30910,7 +30966,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create, read, write, and delete all files ## in all users home directories. ## -@@ -4946,7 +5019,7 @@ +@@ -4946,7 +5020,7 @@ ######################################## ## @@ -30919,7 +30975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -5318,6 +5391,42 @@ +@@ -5318,6 +5392,42 @@ ######################################## ## @@ -30962,7 +31018,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read and write unprivileged user ttys. ## ## -@@ -5368,7 +5477,7 @@ +@@ -5368,7 +5478,7 @@ attribute userdomain; ') @@ -30971,7 +31027,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_search_proc($1) ') -@@ -5483,6 +5592,42 @@ +@@ -5483,6 +5593,42 @@ ######################################## ## @@ -31014,7 +31070,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Send a dbus message to all user domains. ## ## -@@ -5513,3 +5658,548 @@ +@@ -5513,3 +5659,548 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') diff --git a/selinux-policy.spec b/selinux-policy.spec index bae17d2..d218ee5 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.5.12 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -460,6 +460,9 @@ exit 0 %endif %changelog +* Wed Oct 15 2008 Dan Walsh 3.5.12-2 +- Fix labeling of libGL + * Fri Oct 10 2008 Dan Walsh 3.5.12-1 - Update to upstream