rpms/selinux-policy/devel policy-20070703.patch, 1.14, 1.15 selinux-policy.spec, 1.477, 1.478
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Mon Jul 23 16:00:42 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv5183
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Fri Jul 20 2007 Dan Walsh <dwalsh at redhat.com> 3.0.3-4
- Add anon_inodefs
- Allow unpriv user exec pam_exec_t
- Fix trigger
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20070703.patch,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -r1.14 -r1.15
--- policy-20070703.patch 20 Jul 2007 15:13:37 -0000 1.14
+++ policy-20070703.patch 23 Jul 2007 16:00:09 -0000 1.15
@@ -333,8 +333,15 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.0.3/policy/modules/admin/anaconda.te
--- nsaserefpolicy/policy/modules/admin/anaconda.te 2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/admin/anaconda.te 2007-07-17 15:46:25.000000000 -0400
-@@ -37,10 +37,6 @@
++++ serefpolicy-3.0.3/policy/modules/admin/anaconda.te 2007-07-23 09:26:54.000000000 -0400
+@@ -31,16 +31,13 @@
+ modutils_domtrans_insmod(anaconda_t)
+
+ seutil_domtrans_semanage(anaconda_t)
++seutil_domtrans_setsebool(anaconda_t)
+
+ unconfined_domain(anaconda_t)
+
userdom_generic_user_home_dir_filetrans_generic_user_home_content(anaconda_t,{ dir file lnk_file fifo_file sock_file })
optional_policy(`
@@ -547,6 +554,17 @@
role system_r types traceroute_t;
########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/portage.if serefpolicy-3.0.3/policy/modules/admin/portage.if
+--- nsaserefpolicy/policy/modules/admin/portage.if 2007-07-03 07:06:36.000000000 -0400
++++ serefpolicy-3.0.3/policy/modules/admin/portage.if 2007-07-23 09:28:12.000000000 -0400
+@@ -324,6 +324,7 @@
+ seutil_domtrans_setfiles($1)
+ # run semodule
+ seutil_domtrans_semanage($1)
++ seutil_domtrans_setsebool($1)
+
+ portage_domtrans_gcc_config($1)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.0.3/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2007-06-15 14:54:34.000000000 -0400
+++ serefpolicy-3.0.3/policy/modules/admin/prelink.te 2007-07-17 15:46:25.000000000 -0400
@@ -806,7 +824,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.0.3/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2007-07-03 07:06:36.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/admin/rpm.te 2007-07-17 15:46:25.000000000 -0400
++++ serefpolicy-3.0.3/policy/modules/admin/rpm.te 2007-07-20 17:08:28.000000000 -0400
@@ -9,6 +9,8 @@
type rpm_t;
type rpm_exec_t;
@@ -816,6 +834,14 @@
domain_obj_id_change_exemption(rpm_t)
domain_role_change_exemption(rpm_t)
domain_system_change_exemption(rpm_t)
+@@ -321,6 +323,7 @@
+ seutil_domtrans_loadpolicy(rpm_script_t)
+ seutil_domtrans_setfiles(rpm_script_t)
+ seutil_domtrans_semanage(rpm_script_t)
++seutil_domtrans_setsebool(rpm_script_t)
+
+ userdom_use_all_users_fds(rpm_script_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.0.3/policy/modules/admin/sudo.if
--- nsaserefpolicy/policy/modules/admin/sudo.if 2007-05-29 14:10:59.000000000 -0400
+++ serefpolicy-3.0.3/policy/modules/admin/sudo.if 2007-07-17 15:46:25.000000000 -0400
@@ -1234,8 +1260,8 @@
/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.0.3/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/apps/gnome.if 2007-07-17 15:46:25.000000000 -0400
-@@ -33,6 +33,50 @@
++++ serefpolicy-3.0.3/policy/modules/apps/gnome.if 2007-07-23 11:05:01.000000000 -0400
+@@ -33,6 +33,51 @@
## </param>
#
template(`gnome_per_role_template',`
@@ -1245,6 +1271,7 @@
+ # Declarations
+ #
+ type $1_gnome_home_t;
++ userdom_user_home_type($1_gnome_home_t)
+ userdom_user_home_content($1, $1_gnome_home_t)
+ manage_dirs_pattern($2,$1_gnome_home_t, $1_gnome_home_t)
+ manage_files_pattern($2,$1_gnome_home_t, $1_gnome_home_t)
@@ -1286,7 +1313,7 @@
gen_require(`
type gconfd_exec_t;
attribute gnomedomain;
-@@ -51,9 +95,6 @@
+@@ -51,9 +96,6 @@
type $1_gconf_home_t;
userdom_user_home_content($1, $1_gconf_home_t)
@@ -1296,7 +1323,7 @@
type $1_gconf_tmp_t;
files_tmp_file($1_gconf_tmp_t)
-@@ -78,9 +119,6 @@
+@@ -78,9 +120,6 @@
allow $1_gconfd_t $2:fifo_file write;
allow $1_gconfd_t $2:unix_stream_socket connectto;
@@ -1306,7 +1333,7 @@
ps_process_pattern($2,$1_gconfd_t)
dev_read_urand($1_gconfd_t)
-@@ -101,9 +139,18 @@
+@@ -101,9 +140,18 @@
gnome_stream_connect_gconf_template($1,$2)
optional_policy(`
@@ -1325,7 +1352,7 @@
optional_policy(`
xserver_use_xdm_fds($1_gconfd_t)
xserver_rw_xdm_pipes($1_gconfd_t)
-@@ -136,13 +183,32 @@
+@@ -136,13 +184,32 @@
allow $2 $1_gconfd_t:unix_stream_socket connectto;
')
@@ -1359,7 +1386,7 @@
## </p>
## <p>
## This is a templated interface, and should only
-@@ -171,6 +237,30 @@
+@@ -171,6 +238,30 @@
########################################
## <summary>
@@ -1390,7 +1417,7 @@
## manage gnome homedir content (.config)
## </summary>
## <param name="userdomain_prefix">
-@@ -193,3 +283,23 @@
+@@ -193,3 +284,23 @@
allow $2 $1_gnome_home_t:dir manage_dir_perms;
allow $2 $1_gnome_home_t:file manage_file_perms;
')
@@ -1406,7 +1433,7 @@
+## </summary>
+## </param>
+#
-+template(`gnome_exec_gconf',`
++interface(`gnome_exec_gconf',`
+ gen_require(`
+ type gconfd_exec_t;
+ ')
@@ -1711,7 +1738,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.0.3/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-07-03 07:05:43.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/apps/mozilla.if 2007-07-17 15:46:25.000000000 -0400
++++ serefpolicy-3.0.3/policy/modules/apps/mozilla.if 2007-07-20 17:26:25.000000000 -0400
@@ -36,6 +36,8 @@
gen_require(`
type mozilla_conf_t, mozilla_exec_t;
@@ -1736,7 +1763,7 @@
########################################
#
# Local policy
-@@ -97,15 +107,36 @@
+@@ -97,15 +107,37 @@
relabel_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
relabel_lnk_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
@@ -1758,6 +1785,7 @@
+ userdom_read_user_home_content_files($1,$1_mozilla_t)
+ userdom_read_user_home_content_symlinks($1,$1_mozilla_t)
+ userdom_read_user_tmp_files($1,$1_mozilla_t)
++ userdom_list_user_files($1,$1_mozilla_t)
+ userdom_manage_user_tmp_dirs($1,$1_mozilla_t)
+ userdom_manage_user_tmp_files($1,$1_mozilla_t)
+ userdom_manage_user_tmp_sockets($1,$1_mozilla_t)
@@ -1780,7 +1808,7 @@
# Unrestricted inheritance from the caller.
allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh };
-@@ -171,6 +202,8 @@
+@@ -171,6 +203,8 @@
fs_list_inotifyfs($1_mozilla_t)
fs_rw_tmpfs_files($1_mozilla_t)
@@ -1789,7 +1817,7 @@
term_dontaudit_getattr_pty_dirs($1_mozilla_t)
libs_use_ld_so($1_mozilla_t)
-@@ -186,12 +219,9 @@
+@@ -186,12 +220,9 @@
sysnet_dns_name_resolve($1_mozilla_t)
sysnet_read_config($1_mozilla_t)
@@ -1805,7 +1833,7 @@
xserver_user_client_template($1,$1_mozilla_t,$1_mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t)
-@@ -213,133 +243,6 @@
+@@ -213,133 +244,6 @@
fs_manage_cifs_symlinks($1_mozilla_t)
')
@@ -1939,7 +1967,7 @@
optional_policy(`
apache_read_user_scripts($1,$1_mozilla_t)
apache_read_user_content($1,$1_mozilla_t)
-@@ -352,21 +255,23 @@
+@@ -352,21 +256,23 @@
optional_policy(`
cups_read_rw_config($1_mozilla_t)
cups_dbus_chat($1_mozilla_t)
@@ -1966,7 +1994,7 @@
')
optional_policy(`
-@@ -386,25 +291,6 @@
+@@ -386,25 +292,6 @@
thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t)
')
@@ -1992,7 +2020,7 @@
')
########################################
-@@ -577,3 +463,27 @@
+@@ -577,3 +464,27 @@
allow $2 $1_mozilla_t:tcp_socket rw_socket_perms;
')
@@ -2272,7 +2300,7 @@
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.0.3/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2007-06-19 16:23:34.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/kernel/domain.if 2007-07-17 15:46:25.000000000 -0400
++++ serefpolicy-3.0.3/policy/modules/kernel/domain.if 2007-07-20 16:52:28.000000000 -0400
@@ -45,6 +45,11 @@
# start with basic domain
domain_base_type($1)
@@ -2552,6 +2580,22 @@
+ allow $1 root_t:dir rw_dir_perms;
+ allow $1 root_t:file { create getattr write };
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.0.3/policy/modules/kernel/filesystem.te
+--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-07-03 07:05:38.000000000 -0400
++++ serefpolicy-3.0.3/policy/modules/kernel/filesystem.te 2007-07-23 10:44:40.000000000 -0400
+@@ -43,6 +43,12 @@
+ #
+ # Non-persistent/pseudo filesystems
+ #
++
++type anon_inodefs_t;
++fs_type(anon_inodefs_t)
++files_mountpoint(anon_inodefs_t)
++genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0)
++
+ type bdev_t;
+ fs_type(bdev_t)
+ genfscon bdev / gen_context(system_u:object_r:bdev_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.3/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-07-03 07:05:38.000000000 -0400
+++ serefpolicy-3.0.3/policy/modules/kernel/kernel.if 2007-07-17 15:46:25.000000000 -0400
@@ -4598,8 +4642,8 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.0.3/policy/modules/services/dovecot.fc
--- nsaserefpolicy/policy/modules/services/dovecot.fc 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/services/dovecot.fc 2007-07-17 15:46:25.000000000 -0400
-@@ -17,10 +17,12 @@
++++ serefpolicy-3.0.3/policy/modules/services/dovecot.fc 2007-07-23 09:12:16.000000000 -0400
+@@ -17,16 +17,19 @@
ifdef(`distro_debian', `
/usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
@@ -4612,6 +4656,13 @@
')
#
+ # /var
+ #
+ /var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0)
++/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+
+ /var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.0.3/policy/modules/services/dovecot.if
--- nsaserefpolicy/policy/modules/services/dovecot.if 2007-05-29 14:10:57.000000000 -0400
+++ serefpolicy-3.0.3/policy/modules/services/dovecot.if 2007-07-17 15:46:25.000000000 -0400
@@ -4967,7 +5018,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.0.3/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2007-07-03 07:06:26.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/services/hal.te 2007-07-17 15:46:25.000000000 -0400
++++ serefpolicy-3.0.3/policy/modules/services/hal.te 2007-07-20 15:18:42.000000000 -0400
@@ -22,6 +22,12 @@
type hald_log_t;
files_type(hald_log_t)
@@ -5007,7 +5058,15 @@
fs_getattr_all_fs(hald_t)
fs_search_all(hald_t)
-@@ -180,6 +191,7 @@
+@@ -163,6 +174,7 @@
+ #hal runs shutdown, probably need a shutdown domain
+ init_rw_utmp(hald_t)
+ init_telinit(hald_t)
++init_dontaudit_use_fds(hald_t)
+
+ libs_use_ld_so(hald_t)
+ libs_use_shared_libs(hald_t)
+@@ -180,6 +192,7 @@
seutil_read_config(hald_t)
seutil_read_default_contexts(hald_t)
@@ -5015,7 +5074,7 @@
sysnet_read_config(hald_t)
-@@ -187,6 +199,7 @@
+@@ -187,6 +200,7 @@
userdom_dontaudit_search_sysadm_home_dirs(hald_t)
optional_policy(`
@@ -5023,7 +5082,7 @@
alsa_read_rw_config(hald_t)
')
-@@ -228,6 +241,10 @@
+@@ -228,6 +242,10 @@
optional_policy(`
networkmanager_dbus_chat(hald_t)
')
@@ -5034,7 +5093,7 @@
')
optional_policy(`
-@@ -296,7 +313,10 @@
+@@ -296,7 +314,10 @@
corecmd_exec_bin(hald_acl_t)
dev_getattr_all_chr_files(hald_acl_t)
@@ -5045,7 +5104,7 @@
dev_setattr_sound_dev(hald_acl_t)
dev_setattr_generic_usb_dev(hald_acl_t)
dev_setattr_usbfs_files(hald_acl_t)
-@@ -358,3 +378,25 @@
+@@ -358,3 +379,25 @@
libs_use_shared_libs(hald_sonypic_t)
miscfiles_read_localization(hald_sonypic_t)
@@ -6185,7 +6244,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-3.0.3/policy/modules/services/radius.te
--- nsaserefpolicy/policy/modules/services/radius.te 2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/services/radius.te 2007-07-17 15:46:25.000000000 -0400
++++ serefpolicy-3.0.3/policy/modules/services/radius.te 2007-07-23 10:49:33.000000000 -0400
@@ -82,6 +82,7 @@
auth_read_shadow(radiusd_t)
@@ -6194,6 +6253,14 @@
corecmd_exec_bin(radiusd_t)
corecmd_exec_shell(radiusd_t)
+@@ -99,6 +100,7 @@
+ logging_send_syslog_msg(radiusd_t)
+
+ miscfiles_read_localization(radiusd_t)
++miscfiles_read_certs(radiusd_t)
+
+ sysnet_read_config(radiusd_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.te serefpolicy-3.0.3/policy/modules/services/rhgb.te
--- nsaserefpolicy/policy/modules/services/rhgb.te 2007-07-03 07:06:27.000000000 -0400
+++ serefpolicy-3.0.3/policy/modules/services/rhgb.te 2007-07-17 15:46:25.000000000 -0400
@@ -6994,7 +7061,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.3/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/services/xserver.if 2007-07-17 15:46:25.000000000 -0400
++++ serefpolicy-3.0.3/policy/modules/services/xserver.if 2007-07-23 11:02:03.000000000 -0400
@@ -353,12 +353,6 @@
# allow ps to show xauth
ps_process_pattern($2,$1_xauth_t)
@@ -7042,7 +7109,7 @@
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
-@@ -555,25 +555,47 @@
+@@ -555,25 +555,46 @@
allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
@@ -7056,10 +7123,10 @@
userdom_search_user_home_dirs($1,$2)
- # for .xsession-errors
- userdom_dontaudit_write_user_home_content_files($1,$2)
+-
+ userdom_manage_user_home_content_dirs($1, xdm_t)
+ userdom_manage_user_home_content_files($1, xdm_t)
+ userdom_user_home_dir_filetrans_user_home_content($1, xdm_t, { dir file })
-
xserver_ro_session_template(xdm,$2,$3)
- xserver_rw_session_template($1,$2,$3)
- xserver_use_user_fonts($1,$2)
@@ -7076,8 +7143,8 @@
+ userdom_read_all_users_home_content_files(xdm_t)
+ userdom_read_all_users_home_content_files(xdm_xserver_t)
+#Compiler is broken so these wont work
-+# gnome_read_user_gnome_config($1, xdm_t)
-+# gnome_read_user_gnome_config($1, xdm_xserver_t)
++ gnome_read_user_gnome_config($1, xdm_t)
++ gnome_read_user_gnome_config($1, xdm_xserver_t)
+ ')
+
+ # Read .Xauthority file
@@ -7098,7 +7165,7 @@
')
')
-@@ -626,6 +648,24 @@
+@@ -626,6 +647,24 @@
########################################
## <summary>
@@ -7123,7 +7190,7 @@
## Transition to a user Xauthority domain.
## </summary>
## <desc>
-@@ -659,6 +699,73 @@
+@@ -659,6 +698,73 @@
########################################
## <summary>
@@ -7197,7 +7264,7 @@
## Transition to a user Xauthority domain.
## </summary>
## <desc>
-@@ -1136,7 +1243,7 @@
+@@ -1136,7 +1242,7 @@
type xdm_xserver_tmp_t;
')
@@ -7206,7 +7273,7 @@
')
########################################
-@@ -1325,3 +1432,44 @@
+@@ -1325,3 +1431,44 @@
files_search_tmp($1)
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
')
@@ -7549,7 +7616,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.3/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/system/authlogin.if 2007-07-20 11:12:25.000000000 -0400
++++ serefpolicy-3.0.3/policy/modules/system/authlogin.if 2007-07-20 14:51:53.000000000 -0400
@@ -27,7 +27,8 @@
domain_type($1_chkpwd_t)
domain_entry_file($1_chkpwd_t,chkpwd_exec_t)
@@ -8038,14 +8105,15 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fusermount.fc serefpolicy-3.0.3/policy/modules/system/fusermount.fc
--- nsaserefpolicy/policy/modules/system/fusermount.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.3/policy/modules/system/fusermount.fc 2007-07-17 15:46:25.000000000 -0400
-@@ -0,0 +1,6 @@
++++ serefpolicy-3.0.3/policy/modules/system/fusermount.fc 2007-07-23 08:11:14.000000000 -0400
+@@ -0,0 +1,7 @@
+# fusermount executable will have:
+# label: system_u:object_r:fusermount_exec_t
+# MLS sensitivity: s0
+# MCS categories: <none>
+
+/usr/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0)
++/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fusermount.if serefpolicy-3.0.3/policy/modules/system/fusermount.if
--- nsaserefpolicy/policy/modules/system/fusermount.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.3/policy/modules/system/fusermount.if 2007-07-17 15:46:25.000000000 -0400
@@ -9033,13 +9101,13 @@
/var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.0.3/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2007-05-29 14:10:58.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/system/modutils.te 2007-07-17 15:46:25.000000000 -0400
++++ serefpolicy-3.0.3/policy/modules/system/modutils.te 2007-07-23 09:23:58.000000000 -0400
@@ -43,7 +43,7 @@
# insmod local policy
#
-allow insmod_t self:capability { dac_override net_raw sys_tty_config };
-+allow insmod_t self:capability { dac_override mknod net_raw sys_tty_config };
++allow insmod_t self:capability { dac_override mknod net_raw sys_nice sys_tty_config };
allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
allow insmod_t self:udp_socket create_socket_perms;
@@ -10301,7 +10369,7 @@
+corecmd_exec_all_executables(unconfined_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.3/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-07-03 07:06:32.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/system/userdomain.if 2007-07-17 15:46:25.000000000 -0400
++++ serefpolicy-3.0.3/policy/modules/system/userdomain.if 2007-07-23 11:53:11.000000000 -0400
@@ -29,90 +29,99 @@
')
@@ -10845,12 +10913,10 @@
- kernel_get_sysvipc_info($1_t)
- # Find CDROM devices:
- kernel_read_device_sysctls($1_t)
-+ kernel_get_sysvipc_info($1_usertype)
-
+-
- corenet_udp_bind_all_nodes($1_t)
- corenet_udp_bind_generic_port($1_t)
-+ corenet_udp_bind_all_nodes($1_usertype)
-+ corenet_udp_bind_generic_port($1_usertype)
++ kernel_get_sysvipc_info($1_usertype)
- dev_read_sysfs($1_t)
- dev_read_rand($1_t)
@@ -10859,7 +10925,9 @@
- dev_read_sound($1_t)
- dev_read_sound_mixer($1_t)
- dev_write_sound_mixer($1_t)
--
++ corenet_udp_bind_all_nodes($1_usertype)
++ corenet_udp_bind_generic_port($1_usertype)
+
- domain_use_interactive_fds($1_t)
- # Command completion can fire hundreds of denials
- domain_dontaudit_exec_all_entry_files($1_t)
@@ -10925,10 +10993,10 @@
- # Stop warnings about access to /dev/console
- init_dontaudit_use_fds($1_t)
- init_dontaudit_use_script_fds($1_t)
+-
+- libs_exec_lib_files($1_t)
+ storage_getattr_fixed_disk_dev($1_usertype)
-- libs_exec_lib_files($1_t)
--
- logging_dontaudit_getattr_all_logs($1_t)
-
- miscfiles_read_man_pages($1_t)
@@ -11317,12 +11385,14 @@
domain_interactive_fd($1_t)
typeattribute $1_devpts_t user_ptynode;
-@@ -985,36 +1038,66 @@
+@@ -985,36 +1038,68 @@
typeattribute $1_tmp_t user_tmpfile;
typeattribute $1_tty_device_t user_ttynode;
- userdom_poly_home_template($1)
- userdom_poly_tmp_template($1)
++ auth_exec_pam($1_t)
++
+ optional_policy(`
+ loadkeys_run($1_t,$1_r,$1_tty_device_t)
+ ')
@@ -11398,7 +11468,7 @@
')
')
-@@ -1028,16 +1111,8 @@
+@@ -1028,16 +1113,8 @@
# the same domain and outside users) disabling this forces FTP passive mode
# and may change other protocols
tunable_policy(`user_tcp_server',`
@@ -11417,7 +11487,7 @@
')
optional_policy(`
-@@ -1054,17 +1129,6 @@
+@@ -1054,17 +1131,6 @@
setroubleshoot_stream_connect($1_t)
')
@@ -11435,7 +11505,7 @@
')
#######################################
-@@ -1102,6 +1166,8 @@
+@@ -1102,6 +1168,8 @@
class passwd { passwd chfn chsh rootok crontab };
')
@@ -11444,7 +11514,7 @@
##############################
#
# Declarations
-@@ -1127,7 +1193,7 @@
+@@ -1127,7 +1195,7 @@
# $1_t local policy
#
@@ -11453,7 +11523,7 @@
allow $1_t self:process { setexec setfscreate };
# Set password information for other users.
-@@ -1139,8 +1205,6 @@
+@@ -1139,8 +1207,6 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -11462,7 +11532,7 @@
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1902,6 +1966,41 @@
+@@ -1902,6 +1968,41 @@
########################################
## <summary>
@@ -11504,7 +11574,7 @@
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -3078,7 +3177,7 @@
+@@ -3078,7 +3179,7 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -11513,7 +11583,7 @@
')
files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -5323,7 +5422,7 @@
+@@ -5323,7 +5424,7 @@
attribute user_tmpfile;
')
@@ -11522,7 +11592,7 @@
')
########################################
-@@ -5548,6 +5647,26 @@
+@@ -5548,6 +5649,26 @@
########################################
## <summary>
@@ -11549,7 +11619,7 @@
## Unconfined access to user domains. (Deprecated)
## </summary>
## <param name="domain">
-@@ -5559,3 +5678,191 @@
+@@ -5559,3 +5680,234 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -11617,6 +11687,26 @@
+
+########################################
+## <summary>
++## allow getattr all user file type
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`userdom_list_user_files',`
++ gen_require(`
++ attribute $1_file_type;
++ ')
++
++ allow $2 $1_file_type:dir search_dir_perms;
++ allow $2 $1_file_type:file getattr;
++')
++
++########################################
++## <summary>
+## Do not audit attempts to write to homedirs of sysadm users
+## home directory.
+## </summary>
@@ -11695,10 +11785,16 @@
+template(`userdom_unpriv_xwindows_login_user', `
+
+userdom_unpriv_login_user($1)
++# Should be optional but policy will not build because of compiler problems
++# Must be before xwindows calls
++#optional_policy(`
++ gnome_per_role_template($1, $1_usertype, $1_r)
++ gnome_exec_gconf($1_t)
++#')
++
+userdom_xwindows_client_template($1)
+allow xguest_usertype xguest_usertype:unix_stream_socket { create_stream_socket_perms connectto };
+
-+auth_exec_pam($1_t)
+logging_send_syslog_msg($1_usertype)
+
+optional_policy(`
@@ -11717,11 +11813,6 @@
+')
+
+optional_policy(`
-+ gnome_per_role_template($1, $1_usertype, $1_r)
-+ gnome_exec_gconf($1_t)
-+')
-+
-+optional_policy(`
+ java_per_role_template($1, $1_t, $1_r)
+')
+
@@ -11741,6 +11832,28 @@
+dev_dontaudit_read_rand($1_usertype)
+
+')
++
++########################################
++## <summary>
++## Identify specified type as being in a users home directory
++## </summary>
++## <desc>
++## <p>
++## Make the specified type a home type.
++## </p>
++## </desc>
++## <param name="type">
++## <summary>
++## Type to be used as a home directory type.
++## </summary>
++## </param>
++#
++interface(`userdom_user_home_type',`
++ gen_require(`
++ attribute user_home_type;
++ ')
++ typeattribute $1 user_home_type;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.0.3/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2007-07-03 07:06:32.000000000 -0400
+++ serefpolicy-3.0.3/policy/modules/system/userdomain.te 2007-07-17 15:46:25.000000000 -0400
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.477
retrieving revision 1.478
diff -u -r1.477 -r1.478
--- selinux-policy.spec 20 Jul 2007 15:13:37 -0000 1.477
+++ selinux-policy.spec 23 Jul 2007 16:00:09 -0000 1.478
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.3
-Release: 3%{?dist}
+Release: 4%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -293,13 +293,13 @@
%relabel targeted
exit 0
-%triggerpostun targeted -- selinux-policy-targeted < 3.0.3.2
+%triggerpostun targeted -- selinux-policy-targeted <= 3.0.3-4
setsebool -P use_nfs_home_dirs=1
+restorecon -R /root /etc/selinux/targeted 2> /dev/null
semanage login -m -s "system_u" __default__ 2> /dev/null
semanage user -a -P unconfined -R "unconfined_r system_r" unconfined_u 2> /dev/null
-semanage user -a -P guest -R guest_r guest_u
-semanage user -a -P xguest -R xguest_r xguest_u
-restorecon -R /root 2> /dev/null
+semanage user -a -P guest -R guest_r guest_u 2> /dev/null
+semanage user -a -P xguest -R xguest_r xguest_u
exit 0
%files targeted
@@ -359,6 +359,11 @@
%endif
%changelog
+* Fri Jul 20 2007 Dan Walsh <dwalsh at redhat.com> 3.0.3-4
+- Add anon_inodefs
+- Allow unpriv user exec pam_exec_t
+- Fix trigger
+
* Fri Jul 20 2007 Dan Walsh <dwalsh at redhat.com> 3.0.3-3
- Allow cups to use generic usb
- fix inetd to be able to run random apps (git)
More information about the scm-commits
mailing list