diff --git a/policy-20080710.patch b/policy-20080710.patch index 00a22d4..6c767e1 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -21454,7 +21454,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpm_use_script_fds(setroubleshootd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.5.12/policy/modules/services/smartmon.te --- nsaserefpolicy/policy/modules/services/smartmon.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/smartmon.te 2008-10-14 15:00:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/smartmon.te 2008-10-14 21:15:21.000000000 -0400 @@ -19,6 +19,10 @@ type fsdaemon_tmp_t; files_tmp_file(fsdaemon_tmp_t) @@ -21479,7 +21479,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_udp_sendrecv_all_nodes(fsdaemon_t) corenet_udp_sendrecv_all_ports(fsdaemon_t) -+dev_del_generic_dirs(fsdaemon_t) ++dev_delete_generic_dirs(fsdaemon_t) dev_read_sysfs(fsdaemon_t) dev_read_urand(fsdaemon_t) @@ -22982,7 +22982,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.5.12/policy/modules/services/virt.if --- nsaserefpolicy/policy/modules/services/virt.if 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/virt.if 2008-10-14 15:00:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/virt.if 2008-10-14 21:22:03.000000000 -0400 @@ -78,6 +78,24 @@ ######################################## @@ -23072,19 +23072,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol virt_manage_lib_files($1) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.5.12/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/virt.te 2008-10-14 15:00:15.000000000 -0400 -@@ -28,9 +28,7 @@ ++++ serefpolicy-3.5.12/policy/modules/services/virt.te 2008-10-14 21:22:40.000000000 -0400 +@@ -5,6 +5,7 @@ + # + # Declarations + # ++attribute virt_image_type; + + ## + ##

+@@ -27,10 +28,8 @@ + files_type(virt_etc_rw_t) # virt Image files - type virt_image_t; # customizable +-type virt_image_t; # customizable -files_type(virt_image_t) -# virt_image_t can be assigned to blk devices -dev_node(virt_image_t) ++type virt_image_t, virt_image_type; # customizable +virt_image(virt_image_t) type virt_log_t; logging_log_file(virt_log_t) -@@ -45,6 +43,9 @@ +@@ -45,6 +44,9 @@ type virtd_exec_t; init_daemon_domain(virtd_t, virtd_exec_t) @@ -23094,7 +23104,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # virtd local policy -@@ -49,9 +50,8 @@ +@@ -49,9 +51,8 @@ # # virtd local policy # @@ -23105,7 +23115,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow virtd_t self:fifo_file rw_file_perms; allow virtd_t self:unix_stream_socket create_stream_socket_perms; allow virtd_t self:tcp_socket create_stream_socket_perms; -@@ -64,7 +64,7 @@ +@@ -64,7 +65,7 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) @@ -23114,7 +23124,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t) -@@ -82,6 +82,8 @@ +@@ -82,6 +83,8 @@ kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) @@ -23123,7 +23133,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_load_module(virtd_t) corecmd_exec_bin(virtd_t) -@@ -93,7 +95,7 @@ +@@ -93,7 +96,7 @@ corenet_tcp_sendrecv_all_nodes(virtd_t) corenet_tcp_sendrecv_all_ports(virtd_t) corenet_tcp_bind_all_nodes(virtd_t) @@ -23132,7 +23142,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_vnc_port(virtd_t) corenet_tcp_connect_vnc_port(virtd_t) corenet_tcp_connect_soundd_port(virtd_t) -@@ -107,8 +109,10 @@ +@@ -107,8 +110,10 @@ files_read_usr_files(virtd_t) files_read_etc_files(virtd_t) @@ -23143,7 +23153,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_list_auto_mountpoints(virtd_t) -@@ -162,26 +166,27 @@ +@@ -162,26 +167,27 @@ ') ') @@ -23180,7 +23190,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -189,9 +194,10 @@ +@@ -189,9 +195,10 @@ ') optional_policy(` @@ -23294,7 +23304,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.12/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2008-10-08 19:00:27.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/xserver.if 2008-10-14 15:02:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/xserver.if 2008-10-14 21:00:40.000000000 -0400 @@ -16,6 +16,7 @@ gen_require(` type xkb_var_lib_t, xserver_exec_t, xserver_log_t; @@ -23618,7 +23628,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; -@@ -649,13 +571,212 @@ +@@ -649,13 +571,213 @@ xserver_read_xdm_tmp_files($2) @@ -23780,6 +23790,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + type clipboard_xselection_t; + type xproperty_t, focus_xevent_t, info_xproperty_t, manage_xevent_t; + type manage_xevent_t, output_xext_t, property_xevent_t; ++ type debug_xext_t, screensaver_xext_t; + type shmem_xext_t, xselection_t; + attribute xevent_type, xextension_type; + ') @@ -23835,7 +23846,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ####################################### ##

## Interface to provide X object permissions on a given X server to -@@ -682,7 +803,7 @@ +@@ -682,7 +804,7 @@ # template(`xserver_common_x_domain_template',` gen_require(` @@ -23844,7 +23855,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type xproperty_t, info_xproperty_t, clipboard_xproperty_t; type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t; type xevent_t, client_xevent_t; -@@ -691,7 +812,6 @@ +@@ -691,7 +813,6 @@ attribute x_server_domain, x_domain; attribute xproperty_type; attribute xevent_type, xextension_type; @@ -23852,7 +23863,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol class x_drawable all_x_drawable_perms; class x_screen all_x_screen_perms; -@@ -708,6 +828,7 @@ +@@ -708,6 +829,7 @@ class x_resource all_x_resource_perms; class x_event all_x_event_perms; class x_synthetic_event all_x_synthetic_event_perms; @@ -23860,7 +23871,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ############################## -@@ -715,20 +836,22 @@ +@@ -715,20 +837,22 @@ # Declarations # @@ -23886,7 +23897,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # # Local Policy -@@ -746,7 +869,7 @@ +@@ -746,7 +870,7 @@ allow $3 x_server_domain:x_server getattr; # everyone can do override-redirect windows. # this could be used to spoof labels @@ -23895,7 +23906,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # everyone can receive management events on the root window # allows to know when new windows appear, among other things allow $3 manage_xevent_t:x_event receive; -@@ -755,36 +878,30 @@ +@@ -755,36 +879,30 @@ # can read server-owned resources allow $3 x_server_domain:x_resource read; # can mess with own clients @@ -23942,7 +23953,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # X Input # can receive own events -@@ -811,6 +928,12 @@ +@@ -811,6 +929,12 @@ allow $3 manage_xevent_t:x_synthetic_event send; allow $3 client_xevent_t:x_synthetic_event send; @@ -23955,7 +23966,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # X Selections # can use the clipboard allow $3 clipboard_xselection_t:x_selection { getattr setattr read }; -@@ -819,13 +942,15 @@ +@@ -819,13 +943,15 @@ # Other X Objects # can create and use cursors @@ -23975,7 +23986,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined($3), -@@ -885,24 +1010,17 @@ +@@ -885,24 +1011,17 @@ # template(`xserver_user_x_domain_template',` gen_require(` @@ -24007,7 +24018,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow connections to X server. files_search_tmp($3) -@@ -917,16 +1035,12 @@ +@@ -917,16 +1036,12 @@ xserver_rw_session_template($1, $3, $4) xserver_use_user_fonts($1, $3) @@ -24027,7 +24038,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -958,26 +1072,43 @@ +@@ -958,26 +1073,43 @@ # template(`xserver_use_user_fonts',` gen_require(` @@ -24078,7 +24089,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Transition to a user Xauthority domain. ## ## -@@ -1003,10 +1134,77 @@ +@@ -1003,10 +1135,77 @@ # template(`xserver_domtrans_user_xauth',` gen_require(` @@ -24158,7 +24169,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1036,10 +1234,10 @@ +@@ -1036,10 +1235,10 @@ # template(`xserver_user_home_dir_filetrans_user_xauth',` gen_require(` @@ -24171,7 +24182,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1225,6 +1423,25 @@ +@@ -1225,6 +1424,25 @@ ######################################## ## @@ -24197,7 +24208,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read xdm-writable configuration files. ## ## -@@ -1279,6 +1496,7 @@ +@@ -1279,6 +1497,7 @@ files_search_tmp($1) allow $1 xdm_tmp_t:dir list_dir_perms; create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t) @@ -24205,7 +24216,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1297,7 +1515,7 @@ +@@ -1297,7 +1516,7 @@ ') files_search_pids($1) @@ -24214,7 +24225,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1320,6 +1538,24 @@ +@@ -1320,6 +1539,24 @@ ######################################## ## @@ -24239,7 +24250,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Execute the X server in the XDM X server domain. ## ## -@@ -1330,15 +1566,47 @@ +@@ -1330,15 +1567,47 @@ # interface(`xserver_domtrans_xdm_xserver',` gen_require(` @@ -24288,7 +24299,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -1488,7 +1756,7 @@ +@@ -1488,7 +1757,7 @@ type xdm_xserver_tmp_t; ') @@ -24297,7 +24308,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1680,6 +1948,26 @@ +@@ -1680,6 +1949,26 @@ ######################################## ## @@ -24324,7 +24335,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## xdm xserver RW shared memory socket. ## ## -@@ -1698,6 +1986,24 @@ +@@ -1698,6 +1987,24 @@ ######################################## ## @@ -24349,7 +24360,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain complete control over the ## display. -@@ -1710,8 +2016,157 @@ +@@ -1710,8 +2017,157 @@ # interface(`xserver_unconfined',` gen_require(`