diff --git a/policy-F15.patch b/policy-F15.patch index e8e3b9b..06da897 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -220,18 +220,35 @@ index 90d5203..1392679 100644 ## ## diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te -index 453834c..5ff732d 100644 +index 453834c..9d83d66 100644 --- a/policy/modules/admin/alsa.te +++ b/policy/modules/admin/alsa.te -@@ -11,7 +11,7 @@ init_system_domain(alsa_t, alsa_exec_t) +@@ -11,7 +11,10 @@ init_system_domain(alsa_t, alsa_exec_t) role system_r types alsa_t; type alsa_etc_rw_t; -files_type(alsa_etc_rw_t) +files_config_file(alsa_etc_rw_t) ++ ++type alsa_tmp_t; ++files_tmp_file(alsa_tmp_t) type alsa_var_lib_t; files_type(alsa_var_lib_t) +@@ -39,6 +42,13 @@ files_etc_filetrans(alsa_t, alsa_etc_rw_t, file) + + can_exec(alsa_t, alsa_exec_t) + ++manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t) ++manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t) ++files_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file }) ++userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file }) ++userdom_dontaudit_setattr_user_tmp(alsa_t) ++ ++ + manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t) + manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t) + files_search_var_lib(alsa_t) diff --git a/policy/modules/admin/anaconda.te b/policy/modules/admin/anaconda.te index f76ed8a..9a9526a 100644 --- a/policy/modules/admin/anaconda.te @@ -347,7 +364,7 @@ index a2e9cb5..b2de42c 100644 optional_policy(` apache_exec_modules(certwatch_t) diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te -index 66fee7d..9191e32 100644 +index 66fee7d..1d231b8 100644 --- a/policy/modules/admin/consoletype.te +++ b/policy/modules/admin/consoletype.te @@ -79,16 +79,18 @@ optional_policy(` @@ -355,7 +372,7 @@ index 66fee7d..9191e32 100644 optional_policy(` + devicekit_dontaudit_read_pid_files(consoletype_t) -+ devicekit_dontaudit_write_log(consoletype_t) ++ devicekit_dontaudit_rw_log(consoletype_t) +') + +optional_policy(` @@ -4165,7 +4182,7 @@ index 9a6d67d..b0c1197 100644 ## mozilla over dbus. ## diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te -index cbf4bec..9826f66 100644 +index cbf4bec..1aa992d 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -7,7 +7,7 @@ policy_module(mozilla, 2.2.2) @@ -4247,7 +4264,7 @@ index cbf4bec..9826f66 100644 pulseaudio_exec(mozilla_t) pulseaudio_stream_connect(mozilla_t) pulseaudio_manage_home_files(mozilla_t) -@@ -266,3 +291,144 @@ optional_policy(` +@@ -266,3 +291,145 @@ optional_policy(` optional_policy(` thunderbird_domtrans(mozilla_t) ') @@ -4375,6 +4392,7 @@ index cbf4bec..9826f66 100644 + nsplugin_manage_home_dirs(mozilla_plugin_t) + nsplugin_manage_home_files(mozilla_plugin_t) + nsplugin_user_home_dir_filetrans(mozilla_plugin_t, dir) ++ nsplugin_user_home_filetrans(mozilla_plugin_t, file) + nsplugin_signal(mozilla_plugin_t) +') + @@ -4495,10 +4513,10 @@ index 0000000..717eb3f +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) diff --git a/policy/modules/apps/nsplugin.if b/policy/modules/apps/nsplugin.if new file mode 100644 -index 0000000..c06e99e +index 0000000..4f9cb05 --- /dev/null +++ b/policy/modules/apps/nsplugin.if -@@ -0,0 +1,455 @@ +@@ -0,0 +1,480 @@ + +## policy for nsplugin + @@ -4933,7 +4951,32 @@ index 0000000..c06e99e + type nsplugin_home_t; + ') + -+ userdom_user_home_content_filetrans($1, nsplugin_home_t, $2) ++ userdom_user_home_dir_filetrans($1, nsplugin_home_t, $2) ++') ++ ++####################################### ++## ++## Create objects in a user home directory ++## with an automatic type transition to ++## the nsplugin home file type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The class of the object to be created. ++## ++## ++# ++interface(`nsplugin_user_home_filetrans',` ++ gen_require(` ++ type nsplugin_home_t; ++ ') ++ ++ userdom_user_home_content_filetrans($1, nsplugin_home_t, $2) +') + +######################################## @@ -15986,10 +16029,10 @@ index 0000000..fa9b95a +') diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te new file mode 100644 -index 0000000..4bc3f06 +index 0000000..3b58d07 --- /dev/null +++ b/policy/modules/services/boinc.te -@@ -0,0 +1,167 @@ +@@ -0,0 +1,169 @@ +policy_module(boinc, 1.0.0) + +######################################## @@ -16110,7 +16153,7 @@ index 0000000..4bc3f06 +domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t) +allow boinc_t boinc_project_t:process sigkill; + -+allow boinc_project_t self:process { ptrace setsched signal signull sigkill sigstop }; ++allow boinc_project_t self:process { ptrace setpgid setsched signal signull sigkill sigstop }; +allow boinc_project_t self:process { execmem execstack }; + +allow boinc_project_t self:fifo_file rw_fifo_file_perms; @@ -16150,6 +16193,8 @@ index 0000000..4bc3f06 +dev_rw_xserver_misc(boinc_project_t) + +files_read_etc_files(boinc_project_t) ++files_read_etc_runtime_files(boinc_project_t) ++files_read_usr_files(boinc_project_t) + +miscfiles_read_fonts(boinc_project_t) +miscfiles_read_localization(boinc_project_t) @@ -17119,7 +17164,7 @@ index 1f11572..7f6a7ab 100644 ') diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te -index 8c36027..532fa91 100644 +index 8c36027..28863a5 100644 --- a/policy/modules/services/clamav.te +++ b/policy/modules/services/clamav.te @@ -1,9 +1,9 @@ @@ -17226,7 +17271,11 @@ index 8c36027..532fa91 100644 ######################################## # # clamscam local policy -@@ -251,6 +266,7 @@ corenet_tcp_sendrecv_clamd_port(clamscan_t) +@@ -248,9 +263,11 @@ corenet_tcp_sendrecv_generic_if(clamscan_t) + corenet_tcp_sendrecv_generic_node(clamscan_t) + corenet_tcp_sendrecv_all_ports(clamscan_t) + corenet_tcp_sendrecv_clamd_port(clamscan_t) ++corenet_tcp_bind_generic_node(clamscan_t) corenet_tcp_connect_clamd_port(clamscan_t) kernel_read_kernel_sysctls(clamscan_t) @@ -17234,6 +17283,16 @@ index 8c36027..532fa91 100644 files_read_etc_files(clamscan_t) files_read_etc_runtime_files(clamscan_t) +@@ -265,6 +282,9 @@ miscfiles_read_public_files(clamscan_t) + clamav_stream_connect(clamscan_t) + + mta_send_mail(clamscan_t) ++mta_read_queue(clamscan_t) ++ ++sysnet_read_config(clamscan_t) + + optional_policy(` + amavis_read_spool_files(clamscan_t) diff --git a/policy/modules/services/clogd.if b/policy/modules/services/clogd.if index c0a66a4..e438c5f 100644 --- a/policy/modules/services/clogd.if @@ -19737,7 +19796,7 @@ index 418a5a0..28d9e41 100644 /var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) /var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if -index f706b99..4b3d7f7 100644 +index f706b99..6149a45 100644 --- a/policy/modules/services/devicekit.if +++ b/policy/modules/services/devicekit.if @@ -5,9 +5,9 @@ @@ -19752,7 +19811,7 @@ index f706b99..4b3d7f7 100644 ## # interface(`devicekit_domtrans',` -@@ -118,6 +118,63 @@ interface(`devicekit_dbus_chat_power',` +@@ -118,6 +118,82 @@ interface(`devicekit_dbus_chat_power',` allow devicekit_power_t $1:dbus send_msg; ') @@ -19794,6 +19853,25 @@ index f706b99..4b3d7f7 100644 + dontaudit $1 devicekit_var_log_t:file { write }; +') + ++###################################### ++## ++## Do not audit attempts to read and write the devicekit ++## log files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`devicekit_dontaudit_rw_log',` ++ gen_require(` ++ type devicekit_var_log_t; ++ ') ++ ++ dontaudit $1 devicekit_var_log_t:file rw_inherited_file_perms; ++') ++ +######################################## +## +## Allow the domain to read devicekit_power state files in /proc. @@ -19816,7 +19894,7 @@ index f706b99..4b3d7f7 100644 ######################################## ## ## Read devicekit PID files. -@@ -139,22 +196,52 @@ interface(`devicekit_read_pid_files',` +@@ -139,22 +215,52 @@ interface(`devicekit_read_pid_files',` ######################################## ## @@ -19876,7 +19954,7 @@ index f706b99..4b3d7f7 100644 ## ## ## -@@ -165,21 +252,22 @@ interface(`devicekit_admin',` +@@ -165,21 +271,22 @@ interface(`devicekit_admin',` type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index d0fa960..1b91150 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.10 -Release: 9%{?dist} +Release: 10%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,11 @@ exit 0 %endif %changelog +* Fri Dec 10 2010 Miroslav Grepl 3.9.9-10 +- Fixes for clamscan and boinc policy +- Add boinc_project_t setpgid +- Allow alsa to create tmp files in /tmp + * Tue Dec 7 2010 Miroslav Grepl 3.9.9-9 - Push fixes to allow disabling of unlabeled_t packet access - Enable unlabelednet policy