diff --git a/policy-20071130.patch b/policy-20071130.patch index 560400f..480aa16 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -4775,7 +4775,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.2.7/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-12-12 11:35:27.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/kernel/corecommands.fc 2008-02-11 14:27:33.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/kernel/corecommands.fc 2008-02-12 12:56:07.000000000 -0500 @@ -7,11 +7,11 @@ /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) @@ -4820,17 +4820,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco # # /usr # -@@ -147,7 +157,8 @@ - /usr/lib(64)?/cups/backend(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/lib(64)?/cups/cgi-bin/.* -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib(64)?/cups/daemon(/.*)? gen_context(system_u:object_r:bin_t,s0) +@@ -144,10 +154,7 @@ + /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/cups/backend(/.*)? gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/cups/cgi-bin/.* -- gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/cups/daemon(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/cups/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/lib(64)?/cups/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/lib(64)?/cups/drivers(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib(64)?/cups(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0) -@@ -186,7 +197,10 @@ +@@ -186,7 +193,10 @@ /usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/local/Printer/[^/]*/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -4841,7 +4843,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0) -@@ -284,3 +298,9 @@ +@@ -284,3 +294,9 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -5484,7 +5486,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device type lvm_control_t; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.2.7/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2007-12-19 05:32:07.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/kernel/domain.te 2008-02-11 16:43:14.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/kernel/domain.te 2008-02-12 13:19:51.000000000 -0500 @@ -5,6 +5,13 @@ # # Declarations @@ -5647,7 +5649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # etc_runtime_t is the type of various diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.2.7/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-10-24 15:00:24.000000000 -0400 -+++ serefpolicy-3.2.7/policy/modules/kernel/filesystem.if 2008-02-12 09:41:43.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/kernel/filesystem.if 2008-02-12 13:01:12.000000000 -0500 @@ -310,6 +310,25 @@ ######################################## @@ -6058,7 +6060,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag ## SELinux protections for filesystem objects, and diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.2.7/policy/modules/kernel/terminal.if --- nsaserefpolicy/policy/modules/kernel/terminal.if 2007-09-12 10:34:17.000000000 -0400 -+++ serefpolicy-3.2.7/policy/modules/kernel/terminal.if 2008-02-06 11:02:29.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/kernel/terminal.if 2008-02-12 13:00:27.000000000 -0500 @@ -525,11 +525,13 @@ interface(`term_use_generic_ptys',` gen_require(` @@ -21847,7 +21849,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.2.7/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/services/xserver.te 2008-02-12 12:43:50.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/services/xserver.te 2008-02-12 13:25:46.000000000 -0500 @@ -16,6 +16,13 @@ ## @@ -22052,7 +22054,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t) -@@ -304,7 +363,27 @@ +@@ -304,7 +363,11 @@ ') optional_policy(` @@ -22062,8 +22064,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + +optional_policy(` + consolekit_read_log(xdm_t) -+ -+optional_policy(` + ') + + optional_policy(` +@@ -312,6 +375,23 @@ + ') + + optional_policy(` + dbus_per_role_template(xdm, xdm_t, system_r) + dbus_system_bus_client_template(xdm, xdm_t) + @@ -22078,10 +22085,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + optional_policy(` + networkmanager_dbus_chat(xdm_t) + ') - ') - - optional_policy(` -@@ -322,6 +401,10 @@ ++') ++ ++optional_policy(` + # Talk to the console mouse server. + gpm_stream_connect(xdm_t) + gpm_setattr_gpmctl(xdm_t) +@@ -322,6 +402,10 @@ ') optional_policy(` @@ -22092,7 +22102,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser loadkeys_exec(xdm_t) ') -@@ -335,6 +418,11 @@ +@@ -335,6 +419,11 @@ ') optional_policy(` @@ -22104,7 +22114,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser seutil_sigchld_newrole(xdm_t) ') -@@ -343,8 +431,8 @@ +@@ -343,8 +432,8 @@ ') optional_policy(` @@ -22114,7 +22124,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -380,7 +468,7 @@ +@@ -380,7 +469,7 @@ allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xdm_xserver_t xdm_var_lib_t:dir search; @@ -22123,7 +22133,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t) -@@ -392,6 +480,15 @@ +@@ -392,6 +481,15 @@ can_exec(xdm_xserver_t, xkb_var_lib_t) files_search_var_lib(xdm_xserver_t) @@ -22139,7 +22149,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # VNC v4 module in X server corenet_tcp_bind_vnc_port(xdm_xserver_t) -@@ -404,6 +501,7 @@ +@@ -404,6 +502,7 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_unpriv_users_home_content_files(xdm_xserver_t) @@ -22147,7 +22157,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_use_all_users_fonts(xdm_xserver_t) -@@ -420,6 +518,14 @@ +@@ -420,6 +519,14 @@ ') optional_policy(` @@ -22162,7 +22172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser resmgr_stream_connect(xdm_t) ') -@@ -429,47 +535,103 @@ +@@ -429,47 +536,103 @@ ') optional_policy(` @@ -24144,7 +24154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.2.7/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2008-02-06 10:33:22.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/system/modutils.te 2008-02-06 11:08:30.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/system/modutils.te 2008-02-12 13:01:36.000000000 -0500 @@ -42,7 +42,7 @@ # insmod local policy # @@ -24181,13 +24191,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti libs_use_ld_so(insmod_t) libs_use_shared_libs(insmod_t) -@@ -118,11 +118,27 @@ +@@ -118,11 +118,28 @@ ') ') +term_dontaudit_use_unallocated_ttys(insmod_t) +userdom_dontaudit_search_users_home_dirs(insmod_t) +userdom_dontaudit_search_sysadm_home_dirs(insmod_t) ++fs_dontaudit_use_tmpfs_chr_dev(insmod_t) + if( ! secure_mode_insmod ) { kernel_domtrans_to(insmod_t,insmod_exec_t) @@ -24209,7 +24220,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti hotplug_search_config(insmod_t) ') -@@ -155,10 +171,12 @@ +@@ -155,10 +172,12 @@ optional_policy(` rpm_rw_pipes(insmod_t) @@ -24222,7 +24233,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti ') optional_policy(` -@@ -185,6 +203,7 @@ +@@ -185,6 +204,7 @@ files_read_kernel_symbol_table(depmod_t) files_read_kernel_modules(depmod_t) @@ -24230,7 +24241,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti fs_getattr_xattr_fs(depmod_t) -@@ -208,9 +227,11 @@ +@@ -208,9 +228,11 @@ # Read System.map from home directories. files_list_home(depmod_t) @@ -24243,7 +24254,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(depmod_t) -@@ -219,11 +240,12 @@ +@@ -219,11 +241,12 @@ optional_policy(` # Read System.map from home directories.