diff --git a/policy-20090105.patch b/policy-20090105.patch index 0a76544..5a10e59 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -4522,6 +4522,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # network_node examples: #network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255) #network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.10/policy/modules/kernel/devices.fc +--- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-03-05 14:09:51.000000000 -0500 ++++ serefpolicy-3.6.10/policy/modules/kernel/devices.fc 2009-03-24 15:09:41.000000000 -0400 +@@ -91,6 +91,7 @@ + /dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0) + /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0) + /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) ++/dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0) + /dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0) + /dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0) + /dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.10/policy/modules/kernel/devices.te +--- nsaserefpolicy/policy/modules/kernel/devices.te 2009-03-05 12:28:57.000000000 -0500 ++++ serefpolicy-3.6.10/policy/modules/kernel/devices.te 2009-03-24 15:08:54.000000000 -0400 +@@ -188,6 +188,12 @@ + genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0) + + # ++# Type for /dev/tpm ++# ++type tpm_device_t; ++dev_node(tpm_device_t) ++ ++# + # urandom_device_t is the type of /dev/urandom + # + type urandom_device_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.10/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2009-01-05 15:39:38.000000000 -0500 +++ serefpolicy-3.6.10/policy/modules/kernel/domain.if 2009-03-24 09:03:48.000000000 -0400 @@ -12100,7 +12127,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.10/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/hal.te 2009-03-24 09:03:48.000000000 -0400 ++++ serefpolicy-3.6.10/policy/modules/services/hal.te 2009-03-24 10:36:54.000000000 -0400 @@ -49,6 +49,15 @@ type hald_var_lib_t; files_type(hald_var_lib_t) @@ -12142,10 +12169,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_use_unpriv_user_fds(hald_t) userdom_dontaudit_search_user_home_dirs(hald_t) -@@ -277,6 +292,13 @@ +@@ -277,6 +292,17 @@ ') optional_policy(` ++ ppp_read_rw_config(hald_t) ++') ++ ++optional_policy(` + polkit_domtrans_auth(hald_t) + polkit_domtrans_resolve(hald_t) + polkit_read_lib(hald_t) @@ -12156,7 +12187,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpc_search_nfs_state_data(hald_t) ') -@@ -301,12 +323,16 @@ +@@ -301,12 +327,16 @@ virt_manage_images(hald_t) ') @@ -12174,7 +12205,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow hald_acl_t self:process { getattr signal }; allow hald_acl_t self:fifo_file rw_fifo_file_perms; -@@ -321,6 +347,7 @@ +@@ -321,6 +351,7 @@ manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file }) @@ -12182,7 +12213,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(hald_acl_t) -@@ -339,6 +366,8 @@ +@@ -339,6 +370,8 @@ storage_getattr_removable_dev(hald_acl_t) storage_setattr_removable_dev(hald_acl_t) @@ -12191,7 +12222,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(hald_acl_t) -@@ -346,12 +375,18 @@ +@@ -346,12 +379,18 @@ miscfiles_read_localization(hald_acl_t) @@ -12211,7 +12242,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t) allow hald_t hald_mac_t:process signal; -@@ -374,6 +409,8 @@ +@@ -374,6 +413,8 @@ auth_use_nsswitch(hald_mac_t) @@ -12220,7 +12251,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(hald_mac_t) ######################################## -@@ -418,3 +455,49 @@ +@@ -418,3 +459,49 @@ files_read_usr_files(hald_keymap_t) miscfiles_read_localization(hald_keymap_t) @@ -16693,7 +16724,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # /sbin diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.10/policy/modules/services/ppp.if --- nsaserefpolicy/policy/modules/services/ppp.if 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/ppp.if 2009-03-24 09:03:48.000000000 -0400 ++++ serefpolicy-3.6.10/policy/modules/services/ppp.if 2009-03-24 10:36:17.000000000 -0400 @@ -58,6 +58,25 @@ ######################################## @@ -21101,8 +21132,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.10/policy/modules/services/virt.fc --- nsaserefpolicy/policy/modules/services/virt.fc 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/virt.fc 2009-03-24 09:03:48.000000000 -0400 -@@ -8,5 +8,14 @@ ++++ serefpolicy-3.6.10/policy/modules/services/virt.fc 2009-03-24 15:39:18.000000000 -0400 +@@ -8,5 +8,15 @@ /var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) /var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) @@ -21113,6 +21144,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_image_t,s0) +HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) ++HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_content_t,s0) + +/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0) + @@ -21267,7 +21299,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.10/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/virt.te 2009-03-24 09:03:48.000000000 -0400 ++++ serefpolicy-3.6.10/policy/modules/services/virt.te 2009-03-24 15:41:15.000000000 -0400 @@ -8,20 +8,18 @@ ## @@ -21450,8 +21482,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + kerberos_keytab_template(virtd, virtd_t) +') -+ -+optional_policy(` + + optional_policy(` +- qemu_domtrans(virtd_t) + lvm_domtrans(virtd_t) +') + @@ -21460,9 +21493,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + polkit_domtrans_resolve(virtd_t) + polkit_read_lib(virtd_t) +') - - optional_policy(` -- qemu_domtrans(virtd_t) ++ ++optional_policy(` + qemu_spec_domtrans(virtd_t, svirt_t) qemu_read_state(virtd_t) qemu_signal(virtd_t) @@ -21471,7 +21503,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -198,5 +262,73 @@ +@@ -198,5 +262,76 @@ ') optional_policy(` @@ -21508,6 +21540,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t) +manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t) + ++list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) ++read_files_pattern(svirt_t, virt_content_t, virt_content_t) ++ +storage_raw_write_removable_device(svirt_t) +storage_raw_read_removable_device(svirt_t) + diff --git a/selinux-policy.spec b/selinux-policy.spec index 5856290..61bca9b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.10 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -444,6 +444,9 @@ exit 0 %endif %changelog +* Thu Mar 19 2009 Dan Walsh 3.6.10-2 +- Fixes to allow svirt read iso files in homedir + * Thu Mar 19 2009 Dan Walsh 3.6.10-1 - Add xenner and wine fixes from mgrepl diff --git a/sources b/sources index f282b47..9e77069 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -318ceaa56514c9435de330293523369f serefpolicy-3.6.10.tgz +38720499e445f99f9e2d4df792f2b6f5 serefpolicy-3.6.10.tgz