[selinux-policy: 1349/3172] first part of dans patch Tue, 11 Apr 2006 09:25:24 -0400
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:02:06 UTC 2010
commit 8cfa5a00e15b91ea7fcc216e7e5c5777b9fb3bf2
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Apr 12 15:04:28 2006 +0000
first part of dans patch Tue, 11 Apr 2006 09:25:24 -0400
refpolicy/policy/modules/admin/rpm.te | 3 +-
refpolicy/policy/modules/apps/java.fc | 5 +++
refpolicy/policy/modules/apps/java.te | 2 +-
refpolicy/policy/modules/kernel/devices.fc | 2 +
refpolicy/policy/modules/kernel/devices.te | 2 +-
refpolicy/policy/modules/services/apache.if | 21 +++++++++++++++
refpolicy/policy/modules/services/apache.te | 2 +-
refpolicy/policy/modules/services/automount.te | 3 +-
refpolicy/policy/modules/services/bluetooth.te | 14 ++++++---
refpolicy/policy/modules/services/cups.te | 4 +-
refpolicy/policy/modules/services/dbus.te | 3 +-
refpolicy/policy/modules/services/ftp.te | 3 +-
refpolicy/policy/modules/services/gpm.te | 5 +--
refpolicy/policy/modules/services/hal.te | 8 ++++-
refpolicy/policy/modules/services/mysql.te | 3 +-
.../policy/modules/services/networkmanager.te | 3 +-
refpolicy/policy/modules/services/nscd.if | 18 ++++++++++++
refpolicy/policy/modules/services/nscd.te | 2 +-
refpolicy/policy/modules/services/rsync.te | 6 +++-
refpolicy/policy/modules/services/samba.te | 4 ++-
refpolicy/policy/modules/services/snmp.te | 3 +-
refpolicy/policy/modules/system/getty.fc | 2 +
refpolicy/policy/modules/system/getty.te | 6 +++-
refpolicy/policy/modules/system/libraries.fc | 28 ++++++++++++++-----
refpolicy/policy/modules/system/libraries.te | 2 +-
refpolicy/policy/modules/system/mount.te | 6 +++-
refpolicy/policy/modules/system/unconfined.if | 9 +++---
refpolicy/policy/modules/system/unconfined.te | 10 +++---
refpolicy/policy/modules/system/userdomain.te | 5 ++-
29 files changed, 136 insertions(+), 48 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index a2bc8ce..99e484c 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -1,5 +1,5 @@
-policy_module(rpm,1.3.3)
+policy_module(rpm,1.3.4)
########################################
#
@@ -117,6 +117,7 @@ fs_search_auto_mountpoints(rpm_t)
mls_file_read_up(rpm_t)
mls_file_write_down(rpm_t)
mls_file_upgrade(rpm_t)
+mls_file_downgrade(rpm_t)
selinux_get_fs_mount(rpm_t)
selinux_validate_context(rpm_t)
diff --git a/refpolicy/policy/modules/apps/java.fc b/refpolicy/policy/modules/apps/java.fc
index 9375e71..0c38246 100644
--- a/refpolicy/policy/modules/apps/java.fc
+++ b/refpolicy/policy/modules/apps/java.fc
@@ -1,4 +1,9 @@
#
+# /opt
+#
+/opt(/.*)?/bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
+
+#
# /usr
#
/usr(/.*)?/bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
diff --git a/refpolicy/policy/modules/apps/java.te b/refpolicy/policy/modules/apps/java.te
index fd1df0f..26cca07 100644
--- a/refpolicy/policy/modules/apps/java.te
+++ b/refpolicy/policy/modules/apps/java.te
@@ -1,5 +1,5 @@
-policy_module(java,1.1.0)
+policy_module(java,1.1.1)
########################################
#
diff --git a/refpolicy/policy/modules/kernel/devices.fc b/refpolicy/policy/modules/kernel/devices.fc
index ee2e73e..ec33d1b 100644
--- a/refpolicy/policy/modules/kernel/devices.fc
+++ b/refpolicy/policy/modules/kernel/devices.fc
@@ -72,6 +72,8 @@ ifdef(`distro_suse', `
/dev/dri/.+ -c gen_context(system_u:object_r:dri_device_t,s0)
+/dev/dvb/.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+
/dev/input/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/input/event.* -c gen_context(system_u:object_r:event_device_t,s0)
/dev/input/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te
index 58787ea..8e9f377 100644
--- a/refpolicy/policy/modules/kernel/devices.te
+++ b/refpolicy/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
-policy_module(devices,1.1.8)
+policy_module(devices,1.1.9)
########################################
#
diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if
index 6e256bb..b0d39e5 100644
--- a/refpolicy/policy/modules/services/apache.if
+++ b/refpolicy/policy/modules/services/apache.if
@@ -197,6 +197,27 @@ template(`apache_content_template',`
allow httpd_$1_script_t self:lnk_file read;
')
+ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
+ allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_$1_script_t self:udp_socket create_socket_perms;
+
+ corenet_non_ipsec_sendrecv(httpd_$1_script_t)
+ corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
+ corenet_udp_sendrecv_all_if(httpd_$1_script_t)
+ corenet_raw_sendrecv_all_if(httpd_$1_script_t)
+ corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
+ corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
+ corenet_raw_sendrecv_all_nodes(httpd_$1_script_t)
+ corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
+ corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
+ corenet_tcp_bind_all_nodes(httpd_$1_script_t)
+ corenet_udp_bind_all_nodes(httpd_$1_script_t)
+ corenet_tcp_connect_postgresql_port(httpd_$1_script_t)
+ corenet_tcp_connect_mysqld_port(httpd_$1_script_t)
+
+ sysnet_read_config(httpd_$1_script_t)
+ ')
+
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_$1_script_t self:udp_socket create_socket_perms;
diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te
index 7fd8891..148da51 100644
--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@@ -1,5 +1,5 @@
-policy_module(apache,1.3.5)
+policy_module(apache,1.3.6)
#
# NOTES:
diff --git a/refpolicy/policy/modules/services/automount.te b/refpolicy/policy/modules/services/automount.te
index c0dd711..62b2baf 100644
--- a/refpolicy/policy/modules/services/automount.te
+++ b/refpolicy/policy/modules/services/automount.te
@@ -1,5 +1,5 @@
-policy_module(automount,1.2.1)
+policy_module(automount,1.2.2)
########################################
#
@@ -123,6 +123,7 @@ logging_send_syslog_msg(automount_t)
logging_search_logs(automount_t)
miscfiles_read_localization(automount_t)
+miscfiles_read_certs(automount_t)
# Run mount in the mount_t domain.
mount_domtrans(automount_t)
diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te
index 074c2f3..e6b6496 100644
--- a/refpolicy/policy/modules/services/bluetooth.te
+++ b/refpolicy/policy/modules/services/bluetooth.te
@@ -1,5 +1,5 @@
-policy_module(bluetooth,1.2.3)
+policy_module(bluetooth,1.2.4)
########################################
#
@@ -41,7 +41,7 @@ files_pid_file(bluetooth_var_run_t)
# Bluetooth services local policy
#
-allow bluetooth_t self:capability { net_admin net_raw sys_tty_config };
+allow bluetooth_t self:capability { net_admin net_raw sys_tty_config ipc_lock };
dontaudit bluetooth_t self:capability sys_tty_config;
allow bluetooth_t self:process { getsched signal_perms };
allow bluetooth_t self:fifo_file rw_file_perms;
@@ -176,9 +176,10 @@ allow bluetooth_helper_t self:tcp_socket create_socket_perms;
allow bluetooth_helper_t bluetooth_t:socket { read write };
-allow bluetooth_helper_t bluetooth_helper_tmp_t:dir create_dir_perms;
-allow bluetooth_helper_t bluetooth_helper_tmp_t:file create_file_perms;
-files_tmp_filetrans(bluetooth_helper_t, bluetooth_helper_tmp_t, { file dir })
+allow bluetooth_helper_t bluetooth_helper_tmp_t:dir manage_dir_perms;
+allow bluetooth_helper_t bluetooth_helper_tmp_t:file manage_file_perms;
+allow bluetooth_helper_t bluetooth_helper_tmp_t:sock_file manage_file_perms;
+files_tmp_filetrans(bluetooth_helper_t, bluetooth_helper_tmp_t, { file dir sock_file })
kernel_read_system_state(bluetooth_helper_t)
kernel_read_kernel_sysctls(bluetooth_helper_t)
@@ -213,6 +214,8 @@ ifdef(`targeted_policy',`
fs_rw_tmpfs_files(bluetooth_helper_t)
+ term_dontaudit_use_generic_ptys(bluetooth_helper_t)
+
unconfined_stream_connect(bluetooth_helper_t)
userdom_read_all_users_home_content_files(bluetooth_helper_t)
@@ -223,6 +226,7 @@ ifdef(`targeted_policy',`
')
optional_policy(`
+ bluetooth_dbus_chat(bluetooth_helper_t)
dbus_system_bus_client_template(bluetooth_helper,bluetooth_helper_t)
dbus_connect_system_bus(bluetooth_helper_t)
dbus_send_system_bus(bluetooth_helper_t)
diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te
index 9a2d72f..1f8f1f7 100644
--- a/refpolicy/policy/modules/services/cups.te
+++ b/refpolicy/policy/modules/services/cups.te
@@ -1,5 +1,5 @@
-policy_module(cups,1.3.2)
+policy_module(cups,1.3.3)
########################################
#
@@ -110,7 +110,7 @@ allow cupsd_t cupsd_tmp_t:fifo_file create_file_perms;
files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
allow cupsd_t cupsd_var_run_t:file create_file_perms;
-allow cupsd_t cupsd_var_run_t:dir rw_dir_perms;
+allow cupsd_t cupsd_var_run_t:dir { setattr rw_dir_perms };
allow cupsd_t cupsd_var_run_t:sock_file create_file_perms;
files_pid_filetrans(cupsd_t,cupsd_var_run_t,file)
diff --git a/refpolicy/policy/modules/services/dbus.te b/refpolicy/policy/modules/services/dbus.te
index 07bd6fc..88289c1 100644
--- a/refpolicy/policy/modules/services/dbus.te
+++ b/refpolicy/policy/modules/services/dbus.te
@@ -1,5 +1,5 @@
-policy_module(dbus,1.2.1)
+policy_module(dbus,1.2.2)
gen_require(`
class dbus { send_msg acquire_svc };
@@ -102,6 +102,7 @@ libs_use_shared_libs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
miscfiles_read_localization(system_dbusd_t)
+miscfiles_read_certs(system_dbusd_t)
seutil_read_config(system_dbusd_t)
seutil_read_default_contexts(system_dbusd_t)
diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te
index 8ed9e17..cc87327 100644
--- a/refpolicy/policy/modules/services/ftp.te
+++ b/refpolicy/policy/modules/services/ftp.te
@@ -1,5 +1,5 @@
-policy_module(ftp,1.2.1)
+policy_module(ftp,1.2.2)
########################################
#
@@ -62,6 +62,7 @@ allow ftpd_t ftpd_var_run_t:dir rw_dir_perms;
files_pid_filetrans(ftpd_t,ftpd_var_run_t,file)
# Create and modify /var/log/xferlog.
+allow ftpd_t xferlog_t:dir search_dir_perms;
allow ftpd_t xferlog_t:file create_file_perms;
logging_log_filetrans(ftpd_t,xferlog_t,file)
diff --git a/refpolicy/policy/modules/services/gpm.te b/refpolicy/policy/modules/services/gpm.te
index 0b68e0d..c2b800a 100644
--- a/refpolicy/policy/modules/services/gpm.te
+++ b/refpolicy/policy/modules/services/gpm.te
@@ -1,5 +1,5 @@
-policy_module(gpm,1.1.1)
+policy_module(gpm,1.1.2)
########################################
#
@@ -54,8 +54,7 @@ kernel_read_proc_symlinks(gpm_t)
dev_read_sysfs(gpm_t)
# Access the mouse.
-# cjp: why write?
-dev_rw_input_dev(event_device_t)
+dev_rw_input_dev(gpm_t)
dev_rw_mouse(gpm_t)
fs_getattr_all_fs(gpm_t)
diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
index 3ed03c2..6895d46 100644
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@@ -1,5 +1,5 @@
-policy_module(hal,1.3.2)
+policy_module(hal,1.3.3)
########################################
#
@@ -22,7 +22,7 @@ files_pid_file(hald_var_run_t)
#
# execute openvt which needs setuid
-allow hald_t self:capability { setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
+allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
dontaudit hald_t self:capability sys_tty_config;
allow hald_t self:process signal_perms;
allow hald_t self:fifo_file rw_file_perms;
@@ -52,6 +52,9 @@ kernel_rw_vm_sysctls(hald_t)
kernel_write_proc_files(hald_t)
files_search_boot(hald_t)
+files_getattr_home_dir(hald_t)
+
+auth_read_pam_console_data(hald_t)
corecmd_exec_bin(hald_t)
corecmd_exec_sbin(hald_t)
@@ -93,6 +96,7 @@ files_search_var_lib(hald_t)
files_read_usr_files(hald_t)
# hal is now execing pm-suspend
files_create_boot_flag(hald_t)
+files_getattr_default_dirs(hald_t)
fs_getattr_all_fs(hald_t)
fs_search_all(hald_t)
diff --git a/refpolicy/policy/modules/services/mysql.te b/refpolicy/policy/modules/services/mysql.te
index d4a30c2..56776c2 100644
--- a/refpolicy/policy/modules/services/mysql.te
+++ b/refpolicy/policy/modules/services/mysql.te
@@ -1,5 +1,5 @@
-policy_module(mysql,1.2.0)
+policy_module(mysql,1.2.1)
########################################
#
@@ -104,6 +104,7 @@ logging_send_syslog_msg(mysqld_t)
miscfiles_read_localization(mysqld_t)
+sysnet_use_ldap(mysqld_t)
sysnet_read_config(mysqld_t)
userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
diff --git a/refpolicy/policy/modules/services/networkmanager.te b/refpolicy/policy/modules/services/networkmanager.te
index 8112eb5..eaf58e1 100644
--- a/refpolicy/policy/modules/services/networkmanager.te
+++ b/refpolicy/policy/modules/services/networkmanager.te
@@ -1,5 +1,5 @@
-policy_module(networkmanager,1.3.0)
+policy_module(networkmanager,1.3.1)
########################################
#
@@ -155,6 +155,7 @@ optional_policy(`
optional_policy(`
nscd_socket_use(NetworkManager_t)
+ nscd_signal(NetworkManager_t)
')
optional_policy(`
diff --git a/refpolicy/policy/modules/services/nscd.if b/refpolicy/policy/modules/services/nscd.if
index dd13368..0625b2d 100644
--- a/refpolicy/policy/modules/services/nscd.if
+++ b/refpolicy/policy/modules/services/nscd.if
@@ -2,6 +2,24 @@
########################################
## <summary>
+## Send generic signals to NSCD.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nscd_signal',`
+ gen_require(`
+ type nscd_t;
+ ')
+
+ allow $1 nscd_t:process signal;
+')
+
+########################################
+## <summary>
## Execute NSCD in the nscd domain.
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/services/nscd.te b/refpolicy/policy/modules/services/nscd.te
index 37802b0..451302d 100644
--- a/refpolicy/policy/modules/services/nscd.te
+++ b/refpolicy/policy/modules/services/nscd.te
@@ -1,5 +1,5 @@
-policy_module(nscd,1.2.1)
+policy_module(nscd,1.2.2)
gen_require(`
class nscd all_nscd_perms;
diff --git a/refpolicy/policy/modules/services/rsync.te b/refpolicy/policy/modules/services/rsync.te
index ae35a20..e362e71 100644
--- a/refpolicy/policy/modules/services/rsync.te
+++ b/refpolicy/policy/modules/services/rsync.te
@@ -1,5 +1,5 @@
-policy_module(rsync,1.2.0)
+policy_module(rsync,1.2.1)
########################################
#
@@ -65,6 +65,7 @@ corenet_udp_sendrecv_all_ports(rsync_t)
corenet_non_ipsec_sendrecv(rsync_t)
corenet_tcp_bind_all_nodes(rsync_t)
corenet_udp_bind_all_nodes(rsync_t)
+corenet_tcp_bind_rsync_port(rsync_t)
dev_read_urand(rsync_t)
@@ -73,10 +74,13 @@ fs_getattr_xattr_fs(rsync_t)
files_read_etc_files(rsync_t)
files_search_home(rsync_t)
+init_dontaudit_use_fds(rsync_t)
+
libs_use_ld_so(rsync_t)
libs_use_shared_libs(rsync_t)
logging_send_syslog_msg(rsync_t)
+logging_dontaudit_search_logs(rsync_t)
miscfiles_read_localization(rsync_t)
miscfiles_read_public_files(rsync_t)
diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te
index 9e3f045..c5ae85e 100644
--- a/refpolicy/policy/modules/services/samba.te
+++ b/refpolicy/policy/modules/services/samba.te
@@ -1,5 +1,5 @@
-policy_module(samba,1.2.2)
+policy_module(samba,1.2.3)
#################################
#
@@ -193,6 +193,8 @@ allow smbd_t samba_log_t:dir ra_dir_perms;
dontaudit smbd_t samba_log_t:dir remove_name;
allow smbd_t samba_log_t:file { create ra_file_perms };
+allow smbd_t samba_net_tmp_t:file getattr;
+
allow smbd_t samba_secrets_t:dir rw_dir_perms;
allow smbd_t samba_secrets_t:file create_file_perms;
type_transition smbd_t samba_etc_t:file samba_secrets_t;
diff --git a/refpolicy/policy/modules/services/snmp.te b/refpolicy/policy/modules/services/snmp.te
index c96d72c..ebda872 100644
--- a/refpolicy/policy/modules/services/snmp.te
+++ b/refpolicy/policy/modules/services/snmp.te
@@ -1,5 +1,5 @@
-policy_module(snmp,1.1.0)
+policy_module(snmp,1.1.1)
########################################
#
@@ -49,6 +49,7 @@ allow snmpd_t snmpd_var_run_t:file create_file_perms;
allow snmpd_t snmpd_var_run_t:dir rw_dir_perms;
files_pid_filetrans(snmpd_t,snmpd_var_run_t,file)
+kernel_read_device_sysctls(snmpd_t)
kernel_read_kernel_sysctls(snmpd_t)
kernel_read_net_sysctls(snmpd_t)
kernel_read_proc_symlinks(snmpd_t)
diff --git a/refpolicy/policy/modules/system/getty.fc b/refpolicy/policy/modules/system/getty.fc
index 6db25c1..2a3e0f5 100644
--- a/refpolicy/policy/modules/system/getty.fc
+++ b/refpolicy/policy/modules/system/getty.fc
@@ -6,3 +6,5 @@
/var/log/mgetty\.log.* -- gen_context(system_u:object_r:getty_log_t,s0)
/var/run/mgetty\.pid.* -- gen_context(system_u:object_r:getty_var_run_t,s0)
+
+/var/spool/fax -- gen_context(system_u:object_r:getty_var_run_t,s0)
diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te
index d8ede07..aaac752 100644
--- a/refpolicy/policy/modules/system/getty.te
+++ b/refpolicy/policy/modules/system/getty.te
@@ -1,5 +1,5 @@
-policy_module(getty,1.1.1)
+policy_module(getty,1.1.2)
########################################
#
@@ -110,6 +110,10 @@ ifdef(`targeted_policy',`
')
optional_policy(`
+ mta_send_mail(getty_t)
+')
+
+optional_policy(`
nscd_socket_use(getty_t)
')
diff --git a/refpolicy/policy/modules/system/libraries.fc b/refpolicy/policy/modules/system/libraries.fc
index 9802886..bd47da3 100644
--- a/refpolicy/policy/modules/system/libraries.fc
+++ b/refpolicy/policy/modules/system/libraries.fc
@@ -33,6 +33,8 @@ ifdef(`distro_redhat',`
#
/opt(/.*)?/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/opt(/.*)?/lib(64)?/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
+/opt/.*/jre.*/libdeploy.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/.*/jre.*/libjvm.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
#
# /sbin
@@ -55,17 +57,24 @@ ifdef(`distro_redhat',`
/usr(/.*)?/nvidia/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/pgsql/test/regress/.*\.so -- gen_context(system_u:object_r:shlib_t,s0)
+/usr/lib(64)?/pgsql/test/regress/.*\.so -- gen_context(system_u:object_r:shlib_t,s0)
/usr/lib/win32/.* -- gen_context(system_u:object_r:shlib_t,s0)
/usr/lib(64)?/im/.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
/usr/lib(64)?/iiim/.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
+/usr(/.*)?/lib(64)?(/.*)?/nvidia/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:texrel_shlib_t,s0)
/usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/vmware(.*/)?/VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?lib/wine/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?lib/libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -76,6 +85,7 @@ ifdef(`distro_redhat',`
/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
ifdef(`distro_redhat',`
/usr/lib(64)?/.*/program/.*\.so.* gen_context(system_u:object_r:shlib_t,s0)
@@ -92,6 +102,7 @@ ifdef(`distro_redhat',`
/usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libglide-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/plugins/oggfformat\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/plugins/theorarend\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -167,16 +178,17 @@ HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textre
/usr/lib(64)?/libdivxdecore.so.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libdivxencore.so.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-# vmware
-/usr/lib/vmware/lib/libgdk-x11-2.0.so.0/libgdk-x11-2.0.so.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+# vmware
+/usr/lib(64)?/vmware/lib(/.*)?/libgdk-x11-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# Java, Sun Microsystems (JPackage SRPM)
-/usr/.*/jre.*/lib/i386/libdeploy.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/.*/jre.*/libdeploy.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/.*/jre.*/libjvm.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr(/.*)?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:shlib_t,s0)
-/usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr(/.*)?/Reader/intellinux/plug_ins/EScript\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr(/.*)?/Reader/intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr(/.*)?/intellinux/nppdf\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
+/usr(/.*)?/intellinux/lib/\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
+/usr(/.*)?/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:texrel_shlib_t,s0)
+/usr(/.*)?/intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
') dnl end distro_redhat
ifdef(`distro_suse',`
diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te
index 14cb763..8fe2fc8 100644
--- a/refpolicy/policy/modules/system/libraries.te
+++ b/refpolicy/policy/modules/system/libraries.te
@@ -1,5 +1,5 @@
-policy_module(libraries,1.3.3)
+policy_module(libraries,1.3.4)
########################################
#
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index 48c2212..ba89ae1 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -1,5 +1,5 @@
-policy_module(mount,1.3.3)
+policy_module(mount,1.3.4)
########################################
#
@@ -19,7 +19,8 @@ files_tmp_file(mount_tmp_t)
# mount local policy
#
-allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config };
+# setuid/setgid needed to mount cifs
+allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
allow mount_t mount_tmp_t:file create_file_perms;
allow mount_t mount_tmp_t:dir create_dir_perms;
@@ -44,6 +45,7 @@ storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
fs_getattr_xattr_fs(mount_t)
+fs_getattr_cifs(mount_t)
fs_mount_all_fs(mount_t)
fs_unmount_all_fs(mount_t)
fs_remount_all_fs(mount_t)
diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if
index 3057feb..74a904f 100644
--- a/refpolicy/policy/modules/system/unconfined.if
+++ b/refpolicy/policy/modules/system/unconfined.if
@@ -55,7 +55,7 @@ interface(`unconfined_domain_noaudit',`
tunable_policy(`allow_execmem && allow_execstack',`
# Allow making the stack executable via mprotect.
allow $1 self:process execstack;
- auditallow $1 self:process execstack;
+# auditallow $1 self:process execstack;
', `
# These are fairly common but seem to be harmless
# caused by using shared libraries built with old tool chains
@@ -109,9 +109,10 @@ interface(`unconfined_domain',`
auditallow $1 self:process execheap;
')
- tunable_policy(`allow_execmem',`
- auditallow $1 self:process execmem;
- ')
+# Turn off this audit for FC5
+# tunable_policy(`allow_execmem',`
+# auditallow $1 self:process execmem;
+# ')
')
########################################
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index f3fb908..0674249 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -1,5 +1,5 @@
-policy_module(unconfined,1.3.3)
+policy_module(unconfined,1.3.4)
########################################
#
@@ -41,6 +41,10 @@ ifdef(`targeted_policy',`
userdom_unconfined(unconfined_t)
userdom_priveleged_home_dir_manager(unconfined_t)
+# optional_policy(`
+# ada_domtrans(unconfined_t)
+# ')
+
optional_policy(`
amanda_domtrans_recover(unconfined_t)
')
@@ -106,10 +110,6 @@ ifdef(`targeted_policy',`
')
optional_policy(`
- netutils_domtrans_ping(unconfined_t)
- ')
-
- optional_policy(`
portmap_domtrans_helper(unconfined_t)
')
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index c5a4954..c4d73bc 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
-policy_module(userdomain,1.3.10)
+policy_module(userdomain,1.3.11)
gen_require(`
role sysadm_r, staff_r, user_r;
@@ -181,8 +181,9 @@ ifdef(`targeted_policy',`
logging_read_audit_log(secadm_t)
logging_run_auditctl(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
userdom_dontaudit_append_staff_home_content_files(secadm_t)
+ files_relabel_all_files(secadm_t)
+ auth_relabel_shadow(secadm_t)
', `
- logging_domtrans_auditctl(sysadm_t)
logging_read_audit_log(sysadm_t)
logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal)
')
More information about the scm-commits
mailing list