diff --git a/modules-minimum.conf b/modules-minimum.conf index 29e28c9..3c06644 100644 --- a/modules-minimum.conf +++ b/modules-minimum.conf @@ -340,6 +340,13 @@ dcc = module # ddcprobe = off +# Layer: services +# Module: devicekit +# +# devicekit-daemon +# +devicekit = module + # Layer: kernel # Module: devices # Required in base diff --git a/modules-targeted.conf b/modules-targeted.conf index 29e28c9..3c06644 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -340,6 +340,13 @@ dcc = module # ddcprobe = off +# Layer: services +# Module: devicekit +# +# devicekit-daemon +# +devicekit = module + # Layer: kernel # Module: devices # Required in base diff --git a/policy-20090105.patch b/policy-20090105.patch index 6480d1f..508ddcb 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -8349,7 +8349,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.3/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/apache.te 2009-01-19 17:10:55.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/apache.te 2009-01-19 17:34:22.000000000 -0500 @@ -19,6 +19,8 @@ # Declarations # @@ -8444,16 +8444,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -187,15 +233,22 @@ +@@ -187,15 +233,20 @@ files_tmpfs_file(httpd_tmpfs_t) apache_content_template(user) + ubac_constrained(httpd_user_script_t) -+typeattribute httpd_user_content_t, httpdcontent; -+typeattribute httpd_user_content_rw_t, httpdcontent; -+typeattribute httpd_user_content_ra_t, httpdcontent; -+typeattribute httpd_user_script_exec_t, httpdcontent; ++typeattribute httpd_user_content_t httpdcontent; ++typeattribute httpd_user_content_rw_t httpdcontent; ++typeattribute httpd_user_content_ra_t httpdcontent; + userdom_user_home_content(httpd_user_content_t) userdom_user_home_content(httpd_user_htaccess_t) @@ -8462,7 +8461,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -userdom_user_home_content(httpd_user_script_ro_t) -userdom_user_home_content(httpd_user_script_rw_t) +userdom_user_home_content(httpd_user_content_ra_t) -+userdom_user_home_content(httpd_user_content_ro_t) +userdom_user_home_content(httpd_user_content_rw_t) typeattribute httpd_user_script_t httpd_script_domains; typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; @@ -8470,7 +8468,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t }; typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t }; -@@ -230,7 +283,7 @@ +@@ -230,7 +281,7 @@ # Apache server local policy # @@ -8479,7 +8477,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit httpd_t self:capability { net_admin sys_tty_config }; allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow httpd_t self:fd use; -@@ -272,6 +325,7 @@ +@@ -272,6 +323,7 @@ allow httpd_t httpd_modules_t:dir list_dir_perms; mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) @@ -8487,7 +8485,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol apache_domtrans_rotatelogs(httpd_t) # Apache-httpd needs to be able to send signals to the log rotate procs. -@@ -283,9 +337,9 @@ +@@ -283,9 +335,9 @@ allow httpd_t httpd_suexec_exec_t:file read_file_perms; @@ -8500,7 +8498,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -@@ -301,6 +355,7 @@ +@@ -301,6 +353,7 @@ manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file) @@ -8508,7 +8506,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file }) -@@ -312,6 +367,7 @@ +@@ -312,6 +365,7 @@ kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -8516,7 +8514,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -322,6 +378,7 @@ +@@ -322,6 +376,7 @@ corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_generic_node(httpd_t) @@ -8524,7 +8522,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_http_port(httpd_t) corenet_tcp_bind_http_cache_port(httpd_t) corenet_sendrecv_http_server_packets(httpd_t) -@@ -335,12 +392,12 @@ +@@ -335,12 +390,12 @@ fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -8540,7 +8538,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_use_interactive_fds(httpd_t) -@@ -358,6 +415,10 @@ +@@ -358,6 +413,10 @@ files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -8551,7 +8549,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_read_lib_files(httpd_t) -@@ -372,18 +433,33 @@ +@@ -372,18 +431,33 @@ userdom_use_unpriv_users_fds(httpd_t) @@ -8589,7 +8587,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -391,20 +467,54 @@ +@@ -391,20 +465,54 @@ corenet_tcp_connect_all_ports(httpd_t) ') @@ -8645,7 +8643,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) manage_files_pattern(httpd_t, httpdcontent, httpdcontent) -@@ -415,20 +525,28 @@ +@@ -415,20 +523,28 @@ corenet_tcp_bind_ftp_port(httpd_t) ') @@ -8678,7 +8676,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; -@@ -459,8 +577,13 @@ +@@ -459,8 +575,13 @@ ') optional_policy(` @@ -8694,7 +8692,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -472,18 +595,13 @@ +@@ -472,18 +593,13 @@ ') optional_policy(` @@ -8714,7 +8712,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -493,6 +611,12 @@ +@@ -493,6 +609,12 @@ openca_kill(httpd_t) ') @@ -8727,7 +8725,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) -@@ -500,6 +624,7 @@ +@@ -500,6 +622,7 @@ tunable_policy(`httpd_can_network_connect_db',` postgresql_tcp_connect(httpd_t) @@ -8735,7 +8733,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -508,6 +633,7 @@ +@@ -508,6 +631,7 @@ ') optional_policy(` @@ -8743,7 +8741,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -535,6 +661,22 @@ +@@ -535,6 +659,22 @@ userdom_use_user_terminals(httpd_helper_t) @@ -8766,7 +8764,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Apache PHP script local policy -@@ -564,20 +706,25 @@ +@@ -564,20 +704,25 @@ fs_search_auto_mountpoints(httpd_php_t) @@ -8798,7 +8796,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -595,23 +742,24 @@ +@@ -595,23 +740,24 @@ append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) @@ -8827,7 +8825,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -624,6 +772,7 @@ +@@ -624,6 +770,7 @@ logging_send_syslog_msg(httpd_suexec_t) miscfiles_read_localization(httpd_suexec_t) @@ -8835,20 +8833,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_can_network_connect',` allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; -@@ -641,12 +790,25 @@ +@@ -641,12 +788,23 @@ corenet_sendrecv_all_client_packets(httpd_suexec_t) ') +read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t) +read_files_pattern(httpd_suexec_t, httpd_user_script_rw_t, httpd_user_script_rw_t) -+read_files_pattern(httpd_suexec_t, httpd_user_script_ro_t, httpd_user_script_ro_t) +read_files_pattern(httpd_suexec_t, httpd_user_script_ra_t, httpd_user_script_ra_t) + +domain_entry_file(httpd_sys_script_t, httpd_sys_content_t) tunable_policy(`httpd_enable_cgi && httpd_unified',` domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) + domtrans_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_script_t) -+ domtrans_pattern(httpd_suexec_t, httpd_user_script_ro_t, httpd_user_script_t) + domtrans_pattern(httpd_suexec_t, httpd_user_script_ra_t, httpd_user_script_t) + domtrans_pattern(httpd_suexec_t, httpd_user_script_rw_t, httpd_user_script_t) + @@ -8864,7 +8860,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -655,6 +817,12 @@ +@@ -655,6 +813,12 @@ fs_exec_nfs_files(httpd_suexec_t) ') @@ -8877,7 +8873,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_suexec_t) fs_read_cifs_symlinks(httpd_suexec_t) -@@ -672,15 +840,14 @@ +@@ -672,15 +836,14 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -8896,7 +8892,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow httpd_sys_script_t httpd_t:tcp_socket { read write }; dontaudit httpd_sys_script_t httpd_config_t:dir search; -@@ -699,12 +866,24 @@ +@@ -699,12 +862,24 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -8923,7 +8919,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -712,6 +891,35 @@ +@@ -712,6 +887,35 @@ fs_read_nfs_symlinks(httpd_sys_script_t) ') @@ -8959,7 +8955,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -724,6 +932,10 @@ +@@ -724,6 +928,10 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -8970,7 +8966,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -735,6 +947,8 @@ +@@ -735,6 +943,8 @@ # httpd_rotatelogs local policy # @@ -8979,7 +8975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) kernel_read_kernel_sysctls(httpd_rotatelogs_t) -@@ -754,6 +968,9 @@ +@@ -754,6 +964,9 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -8989,7 +8985,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') # allow accessing files/dirs below the users home dir -@@ -762,3 +979,66 @@ +@@ -762,3 +975,66 @@ userdom_search_user_home_dirs(httpd_suexec_t) userdom_search_user_home_dirs(httpd_user_script_t) ') @@ -11422,7 +11418,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.3/policy/modules/services/devicekit.if --- nsaserefpolicy/policy/modules/services/devicekit.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/devicekit.if 2009-01-19 17:09:09.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/devicekit.if 2009-01-19 17:17:14.000000000 -0500 @@ -0,0 +1,139 @@ + +## policy for devicekit @@ -11521,7 +11517,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# +interface(`devicekit_power_dbus_chat',` + gen_require(` -+ type devicekit_t; ++ type devicekit_power_t; + class dbus send_msg; + ') + @@ -20523,14 +20519,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.3/policy/modules/services/squid.te --- nsaserefpolicy/policy/modules/services/squid.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/squid.te 2009-01-19 15:16:22.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/squid.te 2009-01-19 17:24:18.000000000 -0500 @@ -118,6 +118,9 @@ fs_getattr_all_fs(squid_t) fs_search_auto_mountpoints(squid_t) +#squid requires the following when run in diskd mode, the recommended setting +fs_rw_tmpfs_files(squid_t) -+fs_list_inotify(squid_t) ++fs_list_inotifyfs(squid_t) selinux_dontaudit_getattr_dir(squid_t) @@ -26410,7 +26406,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.3/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/system/userdomain.if 2009-01-19 17:08:20.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/system/userdomain.if 2009-01-19 17:15:36.000000000 -0500 @@ -30,8 +30,9 @@ ') @@ -26979,7 +26975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` - hal_dbus_chat($1_t) -+ devkit_power_dbus_chat($1_usertype) ++ devicekit_power_dbus_chat($1_usertype) ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index ebd57e1..47c8aaa 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.3 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -445,6 +445,9 @@ exit 0 %endif %changelog +* Mon Jan 19 2009 Dan Walsh 3.6.3-2 +- Add devicekit policy + * Mon Jan 19 2009 Dan Walsh 3.6.3-1 - Update to upstream