rpms/selinux-policy/F-8 booleans-targeted.conf, 1.31, 1.32 policy-20070703.patch, 1.101, 1.102 selinux-policy.spec, 1.551, 1.552
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Mon Oct 22 21:27:40 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv7304
Modified Files:
booleans-targeted.conf policy-20070703.patch
selinux-policy.spec
Log Message:
* Mon Oct 22 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-29
- Allow XServer to read /proc/self/cmdline
- Fix unconfined cron jobs
- Allow fetchmail to transition to procmail
- Fixes for hald_mac
- Allow system_mail to transition to exim
- Allow tftpd to upload files
- Allow xdm to manage unconfined_tmp
- Allow udef to read alsa config
- Fix xguest to be able to connect to sound port
Index: booleans-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/booleans-targeted.conf,v
retrieving revision 1.31
retrieving revision 1.32
diff -u -r1.31 -r1.32
--- booleans-targeted.conf 5 Oct 2007 19:47:10 -0000 1.31
+++ booleans-targeted.conf 22 Oct 2007 21:27:07 -0000 1.32
@@ -254,3 +254,7 @@
# Only allow browser to use the web
#
browser_confine_xguest=true
+
+# Allow postfix locat to write to mail spool
+#
+allow_postfix_local_write_mail_spool=true
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.101
retrieving revision 1.102
diff -u -r1.101 -r1.102
--- policy-20070703.patch 19 Oct 2007 21:21:40 -0000 1.101
+++ policy-20070703.patch 22 Oct 2007 21:27:07 -0000 1.102
@@ -766,7 +766,7 @@
+/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if serefpolicy-3.0.8/policy/modules/admin/alsa.if
--- nsaserefpolicy/policy/modules/admin/alsa.if 2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/alsa.if 2007-10-03 11:10:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/alsa.if 2007-10-22 10:19:13.000000000 -0400
@@ -74,3 +74,39 @@
read_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t)
read_lnk_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t)
@@ -4358,7 +4358,7 @@
files_mountpoint(vxfs_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.8/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-08-22 07:14:06.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/kernel.if 2007-10-19 11:00:20.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/kernel.if 2007-10-22 10:49:20.000000000 -0400
@@ -352,6 +352,24 @@
########################################
@@ -5128,7 +5128,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.8/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-08-22 07:14:07.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/apache.te 2007-10-03 11:10:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/apache.te 2007-10-22 17:13:12.000000000 -0400
@@ -20,6 +20,8 @@
# Declarations
#
@@ -5249,7 +5249,7 @@
apache_domtrans_rotatelogs(httpd_t)
# Apache-httpd needs to be able to send signals to the log rotate procs.
-@@ -284,6 +335,7 @@
+@@ -284,19 +335,22 @@
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -5257,7 +5257,25 @@
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -330,6 +382,10 @@
+-corenet_tcp_sendrecv_all_if(httpd_t)
+ corenet_udp_sendrecv_all_if(httpd_t)
+-corenet_tcp_sendrecv_all_nodes(httpd_t)
+ corenet_udp_sendrecv_all_nodes(httpd_t)
+-corenet_tcp_sendrecv_all_ports(httpd_t)
+ corenet_udp_sendrecv_all_ports(httpd_t)
++
++corenet_tcp_sendrecv_all_ports(httpd_t)
++corenet_tcp_sendrecv_all_if(httpd_t)
+ corenet_tcp_bind_all_nodes(httpd_t)
+ corenet_tcp_bind_http_port(httpd_t)
+ corenet_tcp_bind_http_cache_port(httpd_t)
++corenet_tcp_sendrecv_all_nodes(httpd_t)
+ corenet_sendrecv_http_server_packets(httpd_t)
++
+ # Signal self for shutdown
+ corenet_tcp_connect_http_port(httpd_t)
+
+@@ -330,6 +384,10 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -5268,7 +5286,7 @@
libs_use_ld_so(httpd_t)
libs_use_shared_libs(httpd_t)
-@@ -348,7 +404,9 @@
+@@ -348,7 +406,9 @@
userdom_use_unpriv_users_fds(httpd_t)
@@ -5279,7 +5297,7 @@
tunable_policy(`allow_httpd_anon_write',`
miscfiles_manage_public_files(httpd_t)
-@@ -360,6 +418,7 @@
+@@ -360,6 +420,7 @@
#
tunable_policy(`allow_httpd_mod_auth_pam',`
auth_domtrans_chk_passwd(httpd_t)
@@ -5287,7 +5305,7 @@
')
')
-@@ -367,6 +426,16 @@
+@@ -367,6 +428,16 @@
corenet_tcp_connect_all_ports(httpd_t)
')
@@ -5304,7 +5322,7 @@
tunable_policy(`httpd_can_network_connect_db',`
# allow httpd to connect to mysql/posgresql
corenet_tcp_connect_postgresql_port(httpd_t)
-@@ -387,6 +456,17 @@
+@@ -387,6 +458,17 @@
corenet_sendrecv_http_cache_client_packets(httpd_t)
')
@@ -5322,7 +5340,7 @@
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
-@@ -404,11 +484,21 @@
+@@ -404,11 +486,21 @@
fs_read_nfs_symlinks(httpd_t)
')
@@ -5344,7 +5362,7 @@
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -430,6 +520,12 @@
+@@ -430,6 +522,12 @@
')
optional_policy(`
@@ -5357,7 +5375,7 @@
calamaris_read_www_files(httpd_t)
')
-@@ -442,8 +538,15 @@
+@@ -442,8 +540,15 @@
')
optional_policy(`
@@ -5374,7 +5392,7 @@
')
optional_policy(`
-@@ -457,11 +560,11 @@
+@@ -457,11 +562,11 @@
optional_policy(`
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
@@ -5387,7 +5405,7 @@
')
optional_policy(`
-@@ -481,6 +584,7 @@
+@@ -481,6 +586,7 @@
')
optional_policy(`
@@ -5395,7 +5413,7 @@
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -512,10 +616,16 @@
+@@ -512,10 +618,16 @@
tunable_policy(`httpd_tty_comm',`
# cjp: this is redundant:
term_use_controlling_term(httpd_helper_t)
@@ -5413,7 +5431,7 @@
########################################
#
# Apache PHP script local policy
-@@ -553,6 +663,7 @@
+@@ -553,6 +665,7 @@
optional_policy(`
mysql_stream_connect(httpd_php_t)
@@ -5421,7 +5439,7 @@
')
optional_policy(`
-@@ -567,7 +678,6 @@
+@@ -567,7 +680,6 @@
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
@@ -5429,7 +5447,7 @@
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -581,6 +691,10 @@
+@@ -581,6 +693,10 @@
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -5440,7 +5458,7 @@
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -606,6 +720,10 @@
+@@ -606,6 +722,10 @@
miscfiles_read_localization(httpd_suexec_t)
@@ -5451,7 +5469,7 @@
tunable_policy(`httpd_can_network_connect',`
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
allow httpd_suexec_t self:udp_socket create_socket_perms;
-@@ -620,10 +738,13 @@
+@@ -620,10 +740,13 @@
corenet_udp_sendrecv_all_ports(httpd_suexec_t)
corenet_tcp_connect_all_ports(httpd_suexec_t)
corenet_sendrecv_all_client_packets(httpd_suexec_t)
@@ -5466,7 +5484,7 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
')
-@@ -634,6 +755,12 @@
+@@ -634,6 +757,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -5479,7 +5497,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -651,18 +778,6 @@
+@@ -651,18 +780,6 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -5498,7 +5516,7 @@
########################################
#
# Apache system script local policy
-@@ -672,7 +787,8 @@
+@@ -672,7 +789,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -5508,7 +5526,7 @@
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -686,15 +802,66 @@
+@@ -686,15 +804,66 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -5576,7 +5594,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -707,6 +874,20 @@
+@@ -707,6 +876,20 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -5597,7 +5615,7 @@
')
########################################
-@@ -728,3 +909,20 @@
+@@ -728,3 +911,20 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -6035,7 +6053,7 @@
+/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.0.8/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/cron.if 2007-10-03 11:10:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/cron.if 2007-10-22 16:39:48.000000000 -0400
@@ -35,6 +35,7 @@
#
template(`cron_per_role_template',`
@@ -7225,7 +7243,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.0.8/policy/modules/services/exim.if
--- nsaserefpolicy/policy/modules/services/exim.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/services/exim.if 2007-10-15 13:07:49.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/exim.if 2007-10-22 17:21:04.000000000 -0400
@@ -0,0 +1,157 @@
+## <summary>Exim service</summary>
+
@@ -7246,7 +7264,7 @@
+ ')
+
+ corecmd_search_sbin($1)
-+ domtrans_pattern($1, exim_t, exim_exec_t)
++ domtrans_pattern($1, exim_exec_t, exim_t)
+')
+
+########################################
@@ -7386,8 +7404,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.0.8/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/services/exim.te 2007-10-17 15:46:40.000000000 -0400
-@@ -0,0 +1,229 @@
++++ serefpolicy-3.0.8/policy/modules/services/exim.te 2007-10-22 17:07:07.000000000 -0400
+@@ -0,0 +1,232 @@
+# $Id$
+# Draft SELinux refpolicy module for the Exim MTA
+#
@@ -7402,6 +7420,8 @@
+
+type exim_t;
+type exim_exec_t;
++domain_type(exim_t)
++domain_entry_file(exim_t,exim_exec_t)
+mta_mailserver(exim_t, exim_exec_t)
+mta_mailserver_user_agent(exim_t)
+application_executable_file(exim_exec_t)
@@ -7501,13 +7521,14 @@
+
+kernel_read_kernel_sysctls(exim_t)
+kernel_dontaudit_read_system_state(exim_t)
++kernel_read_network_state(exim_t)
+
+miscfiles_read_localization(exim_t)
+miscfiles_read_certs(exim_t)
+
+mta_read_aliases(exim_t)
+mta_read_config(exim_t)
-+mta_rw_spool(exim_t)
++mta_manage_spool(exim_t)
+mta_mailserver_delivery(exim_t)
+
+# Init script handling
@@ -7617,6 +7638,20 @@
+ exim_manage_var_lib(exim_lib_update_t)
+')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.0.8/policy/modules/services/fetchmail.te
+--- nsaserefpolicy/policy/modules/services/fetchmail.te 2007-07-25 10:37:42.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/fetchmail.te 2007-10-22 11:52:47.000000000 -0400
+@@ -86,6 +86,10 @@
+ userdom_dontaudit_search_sysadm_home_dirs(fetchmail_t)
+
+ optional_policy(`
++ procmail_domtrans(fetchmail_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(fetchmail_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.0.8/policy/modules/services/ftp.if
--- nsaserefpolicy/policy/modules/services/ftp.if 2007-05-29 14:10:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/ftp.if 2007-10-03 11:10:24.000000000 -0400
@@ -7735,7 +7770,7 @@
/var/run/vbestate -- gen_context(system_u:object_r:hald_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.0.8/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2007-09-12 10:34:50.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/hal.te 2007-10-19 15:06:33.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/hal.te 2007-10-22 10:00:45.000000000 -0400
@@ -49,6 +49,9 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@@ -7780,11 +7815,13 @@
allow hald_acl_t self:fifo_file read_fifo_file_perms;
domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
-@@ -341,9 +348,12 @@
+@@ -340,10 +347,14 @@
+ manage_files_pattern(hald_mac_t,hald_var_lib_t,hald_var_lib_t)
files_search_var_lib(hald_mac_t)
++dev_read_raw_memory(hald_mac_t)
dev_write_raw_memory(hald_mac_t)
-+dev_read_sysfs(hald_t)
++dev_read_sysfs(hald_mac_t)
files_read_usr_files(hald_mac_t)
@@ -8335,7 +8372,7 @@
## <summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.0.8/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/mta.te 2007-10-18 09:24:04.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/mta.te 2007-10-22 11:09:36.000000000 -0400
@@ -6,6 +6,7 @@
# Declarations
#
@@ -8394,6 +8431,17 @@
cron_dontaudit_write_pipes(system_mail_t)
')
+@@ -81,6 +94,10 @@
+ ')
+
+ optional_policy(`
++ exim_domtrans(system_mail_t)
++')
++
++optional_policy(`
+ logrotate_read_tmp_files(system_mail_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.0.8/policy/modules/services/mysql.fc
--- nsaserefpolicy/policy/modules/services/mysql.fc 2007-05-29 14:10:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/mysql.fc 2007-10-03 11:10:24.000000000 -0400
@@ -9206,7 +9254,7 @@
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.0.8/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/postfix.if 2007-10-03 11:10:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/postfix.if 2007-10-22 17:07:13.000000000 -0400
@@ -41,6 +41,8 @@
allow postfix_$1_t self:unix_stream_socket connectto;
@@ -9339,7 +9387,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.0.8/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/postfix.te 2007-10-12 09:13:21.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/postfix.te 2007-10-22 11:19:20.000000000 -0400
@@ -6,6 +6,14 @@
# Declarations
#
@@ -11565,8 +11613,23 @@
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.0.8/policy/modules/services/tftp.te
--- nsaserefpolicy/policy/modules/services/tftp.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/tftp.te 2007-10-03 11:10:25.000000000 -0400
-@@ -26,6 +26,7 @@
++++ serefpolicy-3.0.8/policy/modules/services/tftp.te 2007-10-22 13:18:06.000000000 -0400
+@@ -16,6 +16,14 @@
+ type tftpdir_t;
+ files_type(tftpdir_t)
+
++## <desc>
++## <p>
++## Allow tftp to modify public files
++## used for public file transfer services.
++## </p>
++## </desc>
++gen_tunable(allow_tftp_anon_write,false)
++
+ ########################################
+ #
+ # Local policy
+@@ -26,12 +34,17 @@
allow tftpd_t self:udp_socket create_socket_perms;
allow tftpd_t self:unix_dgram_socket create_socket_perms;
allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
@@ -11574,6 +11637,27 @@
dontaudit tftpd_t self:capability sys_tty_config;
allow tftpd_t tftpdir_t:dir { getattr read search };
+ allow tftpd_t tftpdir_t:file { read getattr };
+ allow tftpd_t tftpdir_t:lnk_file { getattr read };
+
++manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
++manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
++manage_lnk_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
++
+ manage_files_pattern(tftpd_t,tftpd_var_run_t,tftpd_var_run_t)
+ files_pid_filetrans(tftpd_t,tftpd_var_run_t,file)
+
+@@ -72,6 +85,10 @@
+ miscfiles_read_localization(tftpd_t)
+ miscfiles_read_public_files(tftpd_t)
+
++tunable_policy(`allow_tftp_anon_write',`
++ miscfiles_manage_public_files(tftpd_t)
++')
++
+ sysnet_read_config(tftpd_t)
+ sysnet_use_ldap(tftpd_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.if serefpolicy-3.0.8/policy/modules/services/ucspitcp.if
--- nsaserefpolicy/policy/modules/services/ucspitcp.if 2007-05-29 14:10:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/ucspitcp.if 2007-10-08 07:47:57.000000000 -0400
@@ -11707,7 +11791,7 @@
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.8/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-10-19 16:57:07.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-10-22 10:05:16.000000000 -0400
@@ -126,6 +126,8 @@
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev($1_xserver_t)
@@ -11740,7 +11824,7 @@
type $1_iceauth_t;
domain_type($1_iceauth_t)
-@@ -282,6 +286,7 @@
+@@ -282,11 +286,14 @@
domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
allow $1_xserver_t $1_xauth_home_t:file { getattr read };
@@ -11748,7 +11832,22 @@
domtrans_pattern($2, xserver_exec_t, $1_xserver_t)
allow $1_xserver_t $2:process signal;
-@@ -353,12 +358,6 @@
+
+ allow $1_xserver_t $2:shm rw_shm_perms;
++ # Certain X Libraries want to read /proc/self/cmdline when started with startx
++ allow $1_xserver_t $2:file r_file_perms;
+
+ manage_dirs_pattern($2,$1_fonts_t,$1_fonts_t)
+ manage_files_pattern($2,$1_fonts_t,$1_fonts_t)
+@@ -316,6 +323,7 @@
+ userdom_use_user_ttys($1,$1_xserver_t)
+ userdom_setattr_user_ttys($1,$1_xserver_t)
+ userdom_rw_user_tmpfs_files($1,$1_xserver_t)
++ userdom_rw_user_tmp_files($1,$1_xserver_t)
+
+ xserver_use_user_fonts($1,$1_xserver_t)
+ xserver_rw_xdm_tmp_files($1_xauth_t)
+@@ -353,12 +361,6 @@
# allow ps to show xauth
ps_process_pattern($2,$1_xauth_t)
@@ -11761,7 +11860,7 @@
domain_use_interactive_fds($1_xauth_t)
files_read_etc_files($1_xauth_t)
-@@ -387,6 +386,14 @@
+@@ -387,6 +389,14 @@
')
optional_policy(`
@@ -11776,7 +11875,7 @@
nis_use_ypbind($1_xauth_t)
')
-@@ -537,16 +544,14 @@
+@@ -537,16 +547,14 @@
gen_require(`
type xdm_t, xdm_tmp_t;
@@ -11798,7 +11897,7 @@
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
-@@ -555,25 +560,53 @@
+@@ -555,25 +563,53 @@
allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
@@ -11860,7 +11959,7 @@
')
')
-@@ -626,6 +659,24 @@
+@@ -626,6 +662,24 @@
########################################
## <summary>
@@ -11885,7 +11984,7 @@
## Transition to a user Xauthority domain.
## </summary>
## <desc>
-@@ -659,6 +710,73 @@
+@@ -659,6 +713,73 @@
########################################
## <summary>
@@ -11959,7 +12058,7 @@
## Transition to a user Xauthority domain.
## </summary>
## <desc>
-@@ -927,6 +1045,7 @@
+@@ -927,6 +1048,7 @@
files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@@ -11967,7 +12066,7 @@
')
########################################
-@@ -987,6 +1106,37 @@
+@@ -987,6 +1109,37 @@
########################################
## <summary>
@@ -12005,7 +12104,7 @@
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -1136,7 +1286,7 @@
+@@ -1136,7 +1289,7 @@
type xdm_xserver_tmp_t;
')
@@ -12014,7 +12113,7 @@
')
########################################
-@@ -1325,3 +1475,63 @@
+@@ -1325,3 +1478,63 @@
files_search_tmp($1)
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
')
@@ -12080,7 +12179,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-08-22 07:14:07.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-10-19 14:06:25.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-10-22 10:06:42.000000000 -0400
@@ -16,6 +16,13 @@
## <desc>
@@ -15565,7 +15664,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.0.8/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2007-09-12 10:34:51.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/udev.te 2007-10-18 17:22:34.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/udev.te 2007-10-22 10:19:23.000000000 -0400
@@ -132,6 +132,7 @@
init_read_utmp(udev_t)
@@ -15574,20 +15673,21 @@
libs_use_ld_so(udev_t)
libs_use_shared_libs(udev_t)
-@@ -184,6 +185,12 @@
+@@ -184,6 +185,13 @@
')
optional_policy(`
+ alsa_domtrans(udev_t)
+ alsa_search_lib(udev_t)
+ alsa_read_lib(udev_t)
++ alsa_read_rw_config(udev_t)
+')
+
+optional_policy(`
brctl_domtrans(udev_t)
')
-@@ -220,6 +227,10 @@
+@@ -220,6 +228,10 @@
')
optional_policy(`
@@ -15910,7 +16010,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-10-19 17:16:21.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-10-22 16:43:10.000000000 -0400
@@ -5,36 +5,51 @@
#
# Declarations
@@ -15970,7 +16070,7 @@
libs_run_ldconfig(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
-@@ -42,37 +57,29 @@
+@@ -42,31 +57,29 @@
logging_run_auditctl(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
mount_run_unconfined(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@@ -15987,35 +16087,29 @@
optional_policy(`
- ada_domtrans(unconfined_t)
--')
--
--optional_policy(`
-- apache_run_helper(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
-- apache_per_role_template(unconfined,unconfined_t,unconfined_r)
-- # this is disallowed usage:
-- unconfined_domain(httpd_unconfined_script_t)
+ ada_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
-- bind_run_ndc(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+- apache_run_helper(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+- apache_per_role_template(unconfined,unconfined_t,unconfined_r)
+- # this is disallowed usage:
+- unconfined_domain(httpd_unconfined_script_t)
+ bootloader_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
-- bootloader_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+- bind_run_ndc(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+ apache_run_helper(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
-- cron_per_role_template(unconfined,unconfined_t,unconfined_r)
-- # this is disallowed usage:
-- unconfined_domain(unconfined_crond_t)
+- bootloader_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+ bind_run_ndc(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
-@@ -107,6 +114,10 @@
+@@ -107,6 +120,10 @@
optional_policy(`
oddjob_dbus_chat(unconfined_t)
')
@@ -16026,7 +16120,7 @@
')
optional_policy(`
-@@ -114,15 +125,15 @@
+@@ -114,15 +131,15 @@
')
optional_policy(`
@@ -16045,7 +16139,7 @@
')
optional_policy(`
-@@ -130,15 +141,10 @@
+@@ -130,15 +147,10 @@
')
optional_policy(`
@@ -16063,7 +16157,7 @@
')
optional_policy(`
-@@ -155,32 +161,23 @@
+@@ -155,32 +167,23 @@
optional_policy(`
postfix_run_map(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@@ -16100,7 +16194,7 @@
')
optional_policy(`
-@@ -205,11 +202,22 @@
+@@ -205,11 +208,22 @@
')
optional_policy(`
@@ -16112,20 +16206,20 @@
+ mozilla_per_role_template(unconfined, unconfined_t, unconfined_r)
+ unconfined_domain(unconfined_mozilla_t)
+ allow unconfined_mozilla_t self:process { execstack execmem };
-+')
-+
-+optional_policy(`
-+ kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
')
optional_policy(`
- xserver_domtrans_xdm_xserver(unconfined_t)
++ kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
++')
++
++optional_policy(`
+ xserver_run_xdm_xserver(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+ xserver_xdm_rw_shm(unconfined_t)
')
########################################
-@@ -225,8 +233,21 @@
+@@ -225,8 +239,21 @@
init_dbus_chat_script(unconfined_execmem_t)
unconfined_dbus_chat(unconfined_execmem_t)
@@ -16158,7 +16252,7 @@
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-10-19 16:52:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-10-22 17:00:16.000000000 -0400
@@ -29,8 +29,9 @@
')
@@ -17192,7 +17286,7 @@
')
########################################
-@@ -5559,3 +5724,380 @@
+@@ -5559,3 +5724,386 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -17399,6 +17493,12 @@
+ alsa_read_rw_config($1_usertype)
+')
+
++# Broken Cover up bugzilla #345921 Should be removed when this is fixed
++corenet_tcp_connect_soundd_port($1_t)
++corenet_tcp_sendrecv_soundd_port($1_t)
++corenet_tcp_sendrecv_all_if($1_t)
++corenet_tcp_sendrecv_lo_node($1_t)
++
+authlogin_per_role_template($1, $1_t, $1_r)
+
+auth_search_pam_console_data($1_usertype)
@@ -17991,13 +18091,14 @@
+## <summary>Policy for guest user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.0.8/policy/modules/users/guest.te
--- nsaserefpolicy/policy/modules/users/guest.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/users/guest.te 2007-10-17 12:57:05.000000000 -0400
-@@ -0,0 +1,13 @@
++++ serefpolicy-3.0.8/policy/modules/users/guest.te 2007-10-22 16:08:51.000000000 -0400
+@@ -0,0 +1,14 @@
+policy_module(guest,1.0.0)
+userdom_unpriv_login_user(guest)
+userdom_unpriv_login_user(gadmin)
+userdom_unpriv_xwindows_login_user(xguest)
+mozilla_per_role_template(xguest, xguest_t, xguest_r)
++
+# Allow mounting of file systems
+optional_policy(`
+ hal_dbus_chat(xguest_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.551
retrieving revision 1.552
diff -u -r1.551 -r1.552
--- selinux-policy.spec 19 Oct 2007 21:21:40 -0000 1.551
+++ selinux-policy.spec 22 Oct 2007 21:27:07 -0000 1.552
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 28%{?dist}
+Release: 29%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -373,6 +373,17 @@
%endif
%changelog
+* Mon Oct 22 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-29
+- Allow XServer to read /proc/self/cmdline
+- Fix unconfined cron jobs
+- Allow fetchmail to transition to procmail
+- Fixes for hald_mac
+- Allow system_mail to transition to exim
+- Allow tftpd to upload files
+- Allow xdm to manage unconfined_tmp
+- Allow udef to read alsa config
+- Fix xguest to be able to connect to sound port
+
* Fri Oct 17 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-28
- Fixes for hald_mac
- Treat unconfined_home_dir_t as a home dir
More information about the scm-commits
mailing list