diff --git a/policy-20090105.patch b/policy-20090105.patch index c4c11d1..9cd83ea 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -850,8 +850,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_suse', ` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.12/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2008-11-11 16:13:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/admin/rpm.if 2009-04-23 09:44:57.000000000 -0400 -@@ -146,6 +146,24 @@ ++++ serefpolicy-3.6.12/policy/modules/admin/rpm.if 2009-04-23 23:59:46.000000000 -0400 +@@ -66,6 +66,11 @@ + rpm_domtrans($1) + role $2 types rpm_t; + role $2 types rpm_script_t; ++ ++ domain_system_change_exemption($1) ++ role_transition $2 rpm_exec_t system_r; ++ allow $2 system_r; ++ + seutil_run_loadpolicy(rpm_script_t, $2) + seutil_run_semanage(rpm_script_t, $2) + seutil_run_setfiles(rpm_script_t, $2) +@@ -146,6 +151,24 @@ ######################################## ## @@ -876,7 +888,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Send and receive messages from ## rpm over dbus. ## -@@ -167,6 +185,48 @@ +@@ -167,6 +190,48 @@ ######################################## ## @@ -925,7 +937,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create, read, write, and delete the RPM log. ## ## -@@ -186,6 +246,24 @@ +@@ -186,6 +251,24 @@ ######################################## ## @@ -950,7 +962,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Inherit and use file descriptors from RPM scripts. ## ## -@@ -204,6 +282,24 @@ +@@ -204,6 +287,24 @@ ######################################## ## @@ -975,7 +987,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create, read, write, and delete RPM ## script temporary files. ## -@@ -219,7 +315,29 @@ +@@ -219,7 +320,29 @@ ') files_search_tmp($1) @@ -1005,7 +1017,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -245,6 +363,24 @@ +@@ -245,6 +368,24 @@ ######################################## ## @@ -1030,7 +1042,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create, read, write, and delete the RPM package database. ## ## -@@ -283,3 +419,175 @@ +@@ -283,3 +424,148 @@ dontaudit $1 rpm_var_lib_t:file manage_file_perms; dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; ') @@ -1144,33 +1156,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +######################################## +## -+## Transition to system_r when execute an rpm script -+## -+## -+##

-+## Execute rpm script in a specified role -+##

-+##

-+## No interprocess communication (signals, pipes, -+## etc.) is provided by this interface since -+## the domains are not owned by this module. -+##

-+##
-+## -+## -+## Role to transition from. -+## -+## -+interface(`rpm_role_transition',` -+ gen_require(` -+ type rpm_exec_t; -+ ') -+ -+ role_transition $1 rpm_exec_t system_r; -+') -+ -+######################################## -+## +## Do not audit attempts to write, and delete the +## RPM var run files +## @@ -6393,7 +6378,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## requiring the caller to use setexeccon(). diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.12/policy/modules/roles/sysadm.te --- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/roles/sysadm.te 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/roles/sysadm.te 2009-04-24 00:02:59.000000000 -0400 @@ -15,7 +15,7 @@ role sysadm_r; @@ -6557,7 +6542,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol quota_run(sysadm_t, sysadm_r) ') -@@ -320,19 +258,12 @@ +@@ -320,10 +258,6 @@ ') optional_policy(` @@ -6568,17 +6553,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpc_domtrans_nfsd(sysadm_t) ') +@@ -332,10 +266,6 @@ + ') + optional_policy(` - rpm_run(sysadm_t, sysadm_r) +- rssh_role(sysadm_r, sysadm_t) -') - -optional_policy(` -- rssh_role(sysadm_r, sysadm_t) -+ rpm_role_transition(sysadm_r) + rsync_exec(sysadm_t) ') - optional_policy(` -@@ -345,10 +276,6 @@ +@@ -345,10 +275,6 @@ ') optional_policy(` @@ -6589,7 +6575,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol secadm_role_change(sysadm_r) ') -@@ -358,35 +285,15 @@ +@@ -358,35 +284,15 @@ ') optional_policy(` @@ -6625,7 +6611,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tripwire_run_siggen(sysadm_t, sysadm_r) tripwire_run_tripwire(sysadm_t, sysadm_r) tripwire_run_twadmin(sysadm_t, sysadm_r) -@@ -394,18 +301,10 @@ +@@ -394,18 +300,10 @@ ') optional_policy(` @@ -6644,7 +6630,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_domtrans(sysadm_t) ') -@@ -418,20 +317,12 @@ +@@ -418,20 +316,12 @@ ') optional_policy(` @@ -6665,7 +6651,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol vpn_run(sysadm_t, sysadm_r) ') -@@ -440,13 +331,10 @@ +@@ -440,13 +330,7 @@ ') optional_policy(` @@ -6680,10 +6666,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol yam_run(sysadm_t, sysadm_r) ') + -+domain_user_exemption_target(sysadm_t) -+allow sysadm_r system_r; +init_script_role_transition(sysadm_r) -+role system_r types sysadm_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.12/policy/modules/roles/unconfineduser.fc --- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.fc 2009-04-23 09:44:57.000000000 -0400 @@ -7364,8 +7347,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te 2009-04-23 09:44:57.000000000 -0400 -@@ -0,0 +1,403 @@ ++++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te 2009-04-24 00:00:31.000000000 -0400 +@@ -0,0 +1,400 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -7638,7 +7621,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + rpm_run(unconfined_t, unconfined_r) + # Allow SELinux aware applications to request rpm_script execution + rpm_transition_script(unconfined_t) -+ rpm_role_transition(unconfined_r) +') + +optional_policy(` @@ -7767,8 +7749,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) -+ -+ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.12/policy/modules/roles/unprivuser.te --- nsaserefpolicy/policy/modules/roles/unprivuser.te 2008-11-11 16:13:47.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/roles/unprivuser.te 2009-04-23 09:44:57.000000000 -0400 @@ -27924,7 +27904,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.12/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/selinuxutil.te 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/selinuxutil.te 2009-04-23 23:08:07.000000000 -0400 @@ -23,6 +23,9 @@ type selinux_config_t; files_type(selinux_config_t) @@ -29523,7 +29503,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-04-23 23:55:27.000000000 -0400 @@ -30,8 +30,9 @@ ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 68f3ee7..d893826 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.12 -Release: 14%{?dist} +Release: 15%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -213,8 +213,8 @@ make clean %if %{BUILD_TARGETED} # Build targeted policy # Commented out because only targeted ref policy currently builds -%setupCmds targeted mcs n y allow -%installCmds targeted mcs n y allow +%setupCmds targeted mcs y y allow +%installCmds targeted mcs y y allow %endif %if %{BUILD_MINIMUM} @@ -237,7 +237,7 @@ make clean %installCmds olpc mcs n y allow %endif -make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs +make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=y MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs mkdir %{buildroot}%{_usr}/share/selinux/devel/ mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include install -m 755 $RPM_SOURCE_DIR/policygentool %{buildroot}%{_usr}/share/selinux/devel/ @@ -446,6 +446,9 @@ exit 0 %endif %changelog +* Thu Apr 23 2009 Dan Walsh 3.6.12-15 +- Additional perms for readahead + * Thu Apr 23 2009 Dan Walsh 3.6.12-14 - Allow pulseaudio to acquire_svc on session bus - Fix readahead labeling