rpms/selinux-policy/devel policy-20070703.patch, 1.65, 1.66 selinux-policy.spec, 1.527, 1.528
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Thu Sep 20 22:31:23 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv25821
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Thu Sep 20 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-5
- Fix java and mono to run in xguest account
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20070703.patch,v
retrieving revision 1.65
retrieving revision 1.66
diff -u -r1.65 -r1.66
--- policy-20070703.patch 20 Sep 2007 20:41:50 -0000 1.65
+++ policy-20070703.patch 20 Sep 2007 22:30:51 -0000 1.66
@@ -1439,7 +1439,7 @@
application_executable_file(gconfd_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.0.8/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/java.fc 2007-09-17 16:20:18.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/apps/java.fc 2007-09-20 18:08:22.000000000 -0400
@@ -11,6 +11,7 @@
#
/usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
@@ -1448,7 +1448,7 @@
/usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0)
-@@ -20,5 +21,9 @@
+@@ -20,5 +21,11 @@
/usr/bin/grmic -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/grmiregistry -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0)
@@ -1458,9 +1458,11 @@
+
+/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+
++/usr/lib(64)?/openoffice\.org/program/soffice\.bin -- gen_context(system_u:object_r:java_exec_t,s0)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.0.8/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2007-08-02 08:17:26.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/java.if 2007-09-20 08:56:23.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/apps/java.if 2007-09-20 17:57:24.000000000 -0400
@@ -32,7 +32,7 @@
## </summary>
## </param>
@@ -1480,7 +1482,7 @@
allow $1_javaplugin_t $2:fd use;
# Unrestricted inheritance from the caller.
allow $2 $1_javaplugin_t:process { noatsecure siginh rlimitinh };
-@@ -166,6 +165,57 @@
+@@ -166,6 +165,60 @@
optional_policy(`
xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t)
')
@@ -1528,17 +1530,20 @@
+
+ userdom_unpriv_usertype($1, $1_java_t)
+
-+ allow $1_java_t self:process { execheap execmem };
++ allow $1_java_t self:process { getsched sigkill execheap execmem execstack };
+
+ domtrans_pattern($2, java_exec_t, $1_java_t)
+
++ dev_read_urand($1_java_t)
++ dev_read_rand($1_java_t)
++
+ optional_policy(`
+ xserver_xdm_rw_shm($1_java_t)
+ ')
')
########################################
-@@ -219,3 +269,66 @@
+@@ -219,3 +272,66 @@
corecmd_search_bin($1)
domtrans_pattern($1, java_exec_t, java_t)
')
@@ -6387,7 +6392,7 @@
+term_search_ptys(ktalkd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-3.0.8/policy/modules/services/lpd.if
--- nsaserefpolicy/policy/modules/services/lpd.if 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/lpd.if 2007-09-17 16:20:18.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/lpd.if 2007-09-20 18:02:10.000000000 -0400
@@ -394,3 +394,22 @@
domtrans_pattern($2, lpr_exec_t, $1_lpr_t)
@@ -13255,7 +13260,7 @@
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-09-20 15:46:46.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-09-20 18:02:36.000000000 -0400
@@ -29,8 +29,9 @@
')
@@ -13849,7 +13854,7 @@
samba_stream_connect_winbind($1_t)
')
-@@ -954,21 +882,163 @@
+@@ -954,21 +882,164 @@
## </summary>
## </param>
#
@@ -13965,6 +13970,7 @@
+ userdom_poly_tmp_template($1)
+
+ optional_policy(`
++ cups_read_config($1_usertype)
+ cups_stream_connect($1_usertype)
+ cups_stream_connect_ptal($1_usertype)
+ ')
@@ -14019,7 +14025,7 @@
domain_interactive_fd($1_t)
typeattribute $1_devpts_t user_ptynode;
-@@ -977,23 +1047,51 @@
+@@ -977,23 +1048,51 @@
typeattribute $1_tmp_t user_tmpfile;
typeattribute $1_tty_device_t user_ttynode;
@@ -14082,7 +14088,7 @@
# port access is audited even if dac would not have allowed it, so dontaudit it here
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
-@@ -1029,15 +1127,7 @@
+@@ -1029,15 +1128,7 @@
# and may change other protocols
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_all_nodes($1_t)
@@ -14099,7 +14105,7 @@
')
optional_policy(`
-@@ -1054,17 +1144,6 @@
+@@ -1054,17 +1145,6 @@
setroubleshoot_stream_connect($1_t)
')
@@ -14117,7 +14123,7 @@
')
#######################################
-@@ -1102,6 +1181,8 @@
+@@ -1102,6 +1182,8 @@
class passwd { passwd chfn chsh rootok crontab };
')
@@ -14126,7 +14132,7 @@
##############################
#
# Declarations
-@@ -1127,7 +1208,7 @@
+@@ -1127,7 +1209,7 @@
# $1_t local policy
#
@@ -14135,7 +14141,7 @@
allow $1_t self:process { setexec setfscreate };
# Set password information for other users.
-@@ -1139,7 +1220,11 @@
+@@ -1139,7 +1221,11 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -14148,7 +14154,7 @@
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1642,9 +1727,11 @@
+@@ -1642,9 +1728,11 @@
template(`userdom_user_home_content',`
gen_require(`
attribute $1_file_type;
@@ -14160,7 +14166,7 @@
files_type($2)
')
-@@ -1894,10 +1981,46 @@
+@@ -1894,10 +1982,46 @@
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
type $1_home_dir_t, $1_home_t;
@@ -14208,7 +14214,7 @@
')
########################################
-@@ -3078,7 +3201,7 @@
+@@ -3078,7 +3202,7 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -14217,7 +14223,7 @@
')
files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -4615,6 +4738,24 @@
+@@ -4615,6 +4739,24 @@
files_list_home($1)
allow $1 home_dir_type:dir search_dir_perms;
')
@@ -14242,7 +14248,7 @@
########################################
## <summary>
-@@ -4633,6 +4774,14 @@
+@@ -4633,6 +4775,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -14257,7 +14263,7 @@
')
########################################
-@@ -5323,7 +5472,7 @@
+@@ -5323,7 +5473,7 @@
attribute user_tmpfile;
')
@@ -14266,7 +14272,7 @@
')
########################################
-@@ -5559,3 +5708,376 @@
+@@ -5559,3 +5709,376 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.527
retrieving revision 1.528
diff -u -r1.527 -r1.528
--- selinux-policy.spec 20 Sep 2007 17:21:13 -0000 1.527
+++ selinux-policy.spec 20 Sep 2007 22:30:51 -0000 1.528
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 5%{?dist}
+Release: 6%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -362,6 +362,9 @@
%endif
%changelog
+* Thu Sep 20 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-5
+- Fix java and mono to run in xguest account
+
* Wed Sep 19 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-4
- Fix to add xguest account when inititial install
- Allow mono, java, wine to run in userdomains
More information about the scm-commits
mailing list