rpms/selinux-policy/devel policy-20080710.patch, 1.76, 1.77 selinux-policy.spec, 1.734, 1.735
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Oct 27 21:07:06 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv18153
Modified Files:
policy-20080710.patch selinux-policy.spec
Log Message:
* Mon Oct 27 2008 Dan Walsh <dwalsh at redhat.com> 3.5.13-9
- Allow openoffice execstack/execmem privs
policy-20080710.patch:
Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20080710.patch,v
retrieving revision 1.76
retrieving revision 1.77
diff -u -r1.76 -r1.77
--- policy-20080710.patch 25 Oct 2008 11:14:55 -0000 1.76
+++ policy-20080710.patch 27 Oct 2008 21:07:05 -0000 1.77
@@ -355,6 +355,28 @@
+system_r:sshd_t xguest_r:xguest_t
+system_r:crond_t xguest_r:xguest_crond_t
+system_r:xdm_t xguest_r:xguest_t
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-3.5.13/man/man8/httpd_selinux.8
+--- nsaserefpolicy/man/man8/httpd_selinux.8 2008-08-25 09:12:31.000000000 -0400
++++ serefpolicy-3.5.13/man/man8/httpd_selinux.8 2008-10-27 10:41:03.000000000 -0400
+@@ -57,8 +57,7 @@
+ .EE
+
+ .SH BOOLEANS
+-SELinux policy is customizable based on least access required. So by
+-default SElinux prevents certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible.
++SELinux policy can be customizable based on least access required. So SElinux can prevents certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible.
+ .PP
+ httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this
+
+@@ -75,7 +74,7 @@
+ .EE
+
+ .PP
+-httpd by default is not allowed access to the controling terminal. In most cases this is prefered, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access.
++httpd by can be configured to not allow access to the controling terminal. In most cases this is prefered, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access.
+
+ .EX
+ setsebool -P httpd_tty_comm 1
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.5.13/policy/flask/access_vectors
--- nsaserefpolicy/policy/flask/access_vectors 2008-08-07 11:15:00.000000000 -0400
+++ serefpolicy-3.5.13/policy/flask/access_vectors 2008-10-17 10:31:26.000000000 -0400
@@ -4375,8 +4397,8 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.5.13/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.te 2008-10-23 14:17:48.000000000 -0400
-@@ -0,0 +1,255 @@
++++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.te 2008-10-27 10:05:44.000000000 -0400
+@@ -0,0 +1,256 @@
+
+policy_module(nsplugin, 1.0.0)
+
@@ -4571,6 +4593,7 @@
+allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
+
+fs_list_inotifyfs(nsplugin_config_t)
++fs_search_auto_mountpoints(nsplugin_config_t)
+
+can_exec(nsplugin_config_t, nsplugin_rw_t)
+manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
@@ -6170,6 +6193,37 @@
')
########################################
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.if.in
+--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2008-08-07 11:15:01.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.if.in 2008-10-27 09:53:12.000000000 -0400
+@@ -1441,10 +1441,11 @@
+ #
+ interface(`corenet_tcp_bind_all_unreserved_ports',`
+ gen_require(`
+- attribute port_type, reserved_port_type;
++ attribute port_type;
++ type reserved_port_t;
+ ')
+
+- allow $1 { port_type -reserved_port_type }:tcp_socket name_bind;
++ allow $1 { port_type -reserved_port_t }:tcp_socket name_bind;
+ ')
+
+ ########################################
+@@ -1459,10 +1460,11 @@
+ #
+ interface(`corenet_udp_bind_all_unreserved_ports',`
+ gen_require(`
+- attribute port_type, reserved_port_type;
++ attribute port_type;
++ type reserved_port_t;
+ ')
+
+- allow $1 { port_type -reserved_port_type }:udp_socket name_bind;
++ allow $1 { port_type -reserved_port_t }:udp_socket name_bind;
+ ')
+
+ ########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-10-14 11:58:07.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in 2008-10-23 14:24:15.000000000 -0400
@@ -10595,7 +10649,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.13/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2008-10-16 17:21:16.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-10-23 10:30:58.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-10-27 16:11:48.000000000 -0400
@@ -20,6 +20,8 @@
# Declarations
#
@@ -11259,7 +11313,7 @@
+# Removal of fastcgi, will cause problems without the following
+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
+typealias httpd_sys_content_t alias httpd_fastcgi_content_t;
-+typealias httpd_sys_content_rw_t alias httpd_fastcgi_content_rw_t;
++typealias httpd_sys_script_rw_t alias httpd_fastcgi_content_rw_t;
+typealias httpd_sys_script_ra_t alias httpd_fastcgi_script_ra_t;
+typealias httpd_sys_script_ro_t alias httpd_fastcgi_script_ro_t;
+typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t;
@@ -11812,8 +11866,16 @@
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.5.13/policy/modules/services/bind.te
--- nsaserefpolicy/policy/modules/services/bind.te 2008-10-16 17:21:16.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/bind.te 2008-10-17 10:31:27.000000000 -0400
-@@ -247,6 +247,8 @@
++++ serefpolicy-3.5.13/policy/modules/services/bind.te 2008-10-27 09:51:11.000000000 -0400
+@@ -118,6 +118,7 @@
+ corenet_tcp_bind_dns_port(named_t)
+ corenet_udp_bind_dns_port(named_t)
+ corenet_tcp_bind_rndc_port(named_t)
++corenet_udp_bind_all_ports(named_t)
+ corenet_tcp_connect_all_ports(named_t)
+ corenet_sendrecv_dns_server_packets(named_t)
+ corenet_sendrecv_dns_client_packets(named_t)
+@@ -247,6 +248,8 @@
sysnet_read_config(ndc_t)
sysnet_dns_name_resolve(ndc_t)
@@ -11909,7 +11971,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.5.13/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/bluetooth.te 2008-10-17 10:31:27.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/bluetooth.te 2008-10-27 12:54:15.000000000 -0400
@@ -20,6 +20,9 @@
type bluetooth_helper_exec_t;
application_executable_file(bluetooth_helper_exec_t)
@@ -11967,20 +12029,20 @@
sysadm_dontaudit_use_ptys(bluetooth_t)
sysadm_dontaudit_search_home_dirs(bluetooth_t)
-@@ -126,12 +130,13 @@
- sysadm_dontaudit_search_home_dirs(bluetooth_t)
-
+@@ -128,10 +132,15 @@
optional_policy(`
-- dbus_system_bus_client_template(bluetooth, bluetooth_t)
-- dbus_connect_system_bus(bluetooth_t)
-+ cups_dbus_chat(bluetooth_t)
+ dbus_system_bus_client_template(bluetooth, bluetooth_t)
+ dbus_connect_system_bus(bluetooth_t)
++ dbus_system_domain(bluetooth_t, bluetooth_exec_t)
++
++ optional_policy(`
++ cups_dbus_chat(bluetooth_t)
')
optional_policy(`
- nis_use_ypbind(bluetooth_t)
-+ dbus_system_bus_client_template(bluetooth, bluetooth_t)
-+ dbus_connect_system_bus(bluetooth_t)
-+ dbus_system_domain(bluetooth_t, bluetooth_exec_t)
++ hal_dbus_chat(bluetooth_t)
++ ')
')
optional_policy(`
@@ -29644,7 +29706,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.5.13/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-10-14 11:58:09.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/unconfined.te 2008-10-24 10:26:04.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/system/unconfined.te 2008-10-27 09:05:47.000000000 -0400
@@ -6,35 +6,76 @@
# Declarations
#
@@ -29941,7 +30003,7 @@
')
########################################
-@@ -229,14 +295,50 @@
+@@ -229,14 +295,57 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
@@ -29966,7 +30028,7 @@
+
+optional_policy(`
+ xserver_rw_xdm_xserver_shm(unconfined_execmem_t)
-+')
+ ')
+
+########################################
+#
@@ -29983,7 +30045,7 @@
+optional_policy(`
+ gen_require(`
+ type mplayer_exec_t;
- ')
++ ')
+ domtrans_pattern(unconfined_t, mplayer_exec_t, unconfined_execmem_t)
+')
+
@@ -29994,6 +30056,13 @@
+ domtrans_pattern(unconfined_t, mozilla_exec_t, unconfined_execmem_t)
+')
+
++optional_policy(`
++ gen_require(`
++ type openoffice_exec_t;
++ ')
++ domtrans_pattern(unconfined_t, openoffice_exec_t, unconfined_execmem_t)
++')
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.5.13/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2008-08-07 11:15:12.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/system/userdomain.fc 2008-10-17 10:31:27.000000000 -0400
@@ -30009,7 +30078,7 @@
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.13/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-08-07 11:15:12.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2008-10-17 17:49:05.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2008-10-27 09:43:09.000000000 -0400
@@ -28,10 +28,14 @@
class context contains;
')
@@ -31135,6 +31204,15 @@
## </p>
## <p>
## This template creates a user domain, types, and
+@@ -1158,7 +1152,7 @@
+ #
+
+ # Inherit rules for ordinary users.
+- userdom_restricted_user_template($1)
++ userdom_restricted_xwindows_user_template($1)
+ userdom_common_user_template($1)
+
+ ##############################
@@ -1167,11 +1161,10 @@
#
@@ -31148,7 +31226,7 @@
# cjp: why?
files_read_kernel_symbol_table($1_t)
-@@ -1189,36 +1182,45 @@
+@@ -1189,36 +1182,41 @@
')
')
@@ -31165,33 +31243,29 @@
corenet_tcp_bind_all_nodes($1_t)
- corenet_tcp_bind_generic_port($1_t)
+ corenet_tcp_bind_all_unreserved_ports($1_t)
-+ ')
-+
-+ # Run pppd in pppd_t by default for user
-+ optional_policy(`
-+ ppp_run_cond($1_t, $1_r, { $1_tty_device_t $1_devpts_t })
')
++ # Run pppd in pppd_t by default for user
optional_policy(`
- netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
- netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
-+ games_rw_data($1_usertype)
++ ppp_run_cond($1_t, $1_r, { $1_tty_device_t $1_devpts_t })
')
optional_policy(`
- postgresql_userdom_template($1,$1_t,$1_r)
-+ mount_run($1_t, $1_r, { $1_tty_device_t $1_devpts_t })
++ games_rw_data($1_usertype)
')
- # Run pppd in pppd_t by default for user
optional_policy(`
- ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
-+ cron_per_role_template($1, $1_t, $1_r)
++ mount_run($1_t, $1_r, { $1_tty_device_t $1_devpts_t })
')
optional_policy(`
- setroubleshoot_stream_connect($1_t)
-+ polkit_per_role_template($1, $1_usertype, $1_r)
++ cron_per_role_template($1, $1_t, $1_r)
+ ')
+
+ optional_policy(`
@@ -31207,7 +31281,7 @@
')
')
-@@ -1295,8 +1297,6 @@
+@@ -1295,8 +1293,6 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -31216,7 +31290,7 @@
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1318,8 +1318,6 @@
+@@ -1318,8 +1314,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -31225,7 +31299,7 @@
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1374,13 +1372,6 @@
+@@ -1374,13 +1368,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -31239,7 +31313,7 @@
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1432,6 +1423,7 @@
+@@ -1432,6 +1419,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -31247,7 +31321,7 @@
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1461,10 +1453,6 @@
+@@ -1461,10 +1449,6 @@
seutil_run_semanage($1,$2,$3)
seutil_run_setfiles($1, $2, $3)
@@ -31258,7 +31332,7 @@
optional_policy(`
aide_run($1,$2, $3)
')
-@@ -1484,6 +1472,14 @@
+@@ -1484,6 +1468,14 @@
optional_policy(`
netlabel_run_mgmt($1,$2, $3)
')
@@ -31273,7 +31347,7 @@
')
########################################
-@@ -1741,11 +1737,15 @@
+@@ -1741,11 +1733,15 @@
#
template(`userdom_user_home_content',`
gen_require(`
@@ -31292,7 +31366,7 @@
')
########################################
-@@ -1841,11 +1841,11 @@
+@@ -1841,11 +1837,11 @@
#
template(`userdom_search_user_home_dirs',`
gen_require(`
@@ -31306,7 +31380,7 @@
')
########################################
-@@ -1875,11 +1875,11 @@
+@@ -1875,11 +1871,11 @@
#
template(`userdom_list_user_home_dirs',`
gen_require(`
@@ -31320,7 +31394,7 @@
')
########################################
-@@ -1923,12 +1923,12 @@
+@@ -1923,12 +1919,12 @@
#
template(`userdom_user_home_domtrans',`
gen_require(`
@@ -31336,7 +31410,7 @@
')
########################################
-@@ -1958,10 +1958,11 @@
+@@ -1958,10 +1954,11 @@
#
template(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
@@ -31350,7 +31424,7 @@
')
########################################
-@@ -1993,11 +1994,47 @@
+@@ -1993,11 +1990,47 @@
#
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
@@ -31400,7 +31474,7 @@
')
########################################
-@@ -2029,10 +2066,10 @@
+@@ -2029,10 +2062,10 @@
#
template(`userdom_dontaudit_setattr_user_home_content_files',`
gen_require(`
@@ -31413,7 +31487,7 @@
')
########################################
-@@ -2062,11 +2099,11 @@
+@@ -2062,11 +2095,11 @@
#
template(`userdom_read_user_home_content_files',`
gen_require(`
@@ -31427,7 +31501,7 @@
')
########################################
-@@ -2096,11 +2133,11 @@
+@@ -2096,11 +2129,11 @@
#
template(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -31442,7 +31516,7 @@
')
########################################
-@@ -2130,10 +2167,14 @@
+@@ -2130,10 +2163,14 @@
#
template(`userdom_dontaudit_write_user_home_content_files',`
gen_require(`
@@ -31459,7 +31533,7 @@
')
########################################
-@@ -2163,11 +2204,11 @@
+@@ -2163,11 +2200,11 @@
#
template(`userdom_read_user_home_content_symlinks',`
gen_require(`
@@ -31473,7 +31547,7 @@
')
########################################
-@@ -2197,11 +2238,11 @@
+@@ -2197,11 +2234,11 @@
#
template(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -31487,7 +31561,7 @@
')
########################################
-@@ -2231,10 +2272,10 @@
+@@ -2231,10 +2268,10 @@
#
template(`userdom_dontaudit_exec_user_home_content_files',`
gen_require(`
@@ -31500,7 +31574,7 @@
')
########################################
-@@ -2266,12 +2307,12 @@
+@@ -2266,12 +2303,12 @@
#
template(`userdom_manage_user_home_content_files',`
gen_require(`
@@ -31516,7 +31590,7 @@
')
########################################
-@@ -2303,10 +2344,10 @@
+@@ -2303,10 +2340,10 @@
#
template(`userdom_dontaudit_manage_user_home_content_dirs',`
gen_require(`
@@ -31529,7 +31603,7 @@
')
########################################
-@@ -2338,12 +2379,12 @@
+@@ -2338,12 +2375,12 @@
#
template(`userdom_manage_user_home_content_symlinks',`
gen_require(`
@@ -31545,7 +31619,7 @@
')
########################################
-@@ -2375,12 +2416,12 @@
+@@ -2375,12 +2412,12 @@
#
template(`userdom_manage_user_home_content_pipes',`
gen_require(`
@@ -31561,7 +31635,7 @@
')
########################################
-@@ -2412,12 +2453,12 @@
+@@ -2412,12 +2449,12 @@
#
template(`userdom_manage_user_home_content_sockets',`
gen_require(`
@@ -31577,7 +31651,7 @@
')
########################################
-@@ -2462,11 +2503,11 @@
+@@ -2462,11 +2499,11 @@
#
template(`userdom_user_home_dir_filetrans',`
gen_require(`
@@ -31591,7 +31665,7 @@
')
########################################
-@@ -2511,11 +2552,11 @@
+@@ -2511,11 +2548,11 @@
#
template(`userdom_user_home_content_filetrans',`
gen_require(`
@@ -31605,7 +31679,7 @@
')
########################################
-@@ -2555,11 +2596,11 @@
+@@ -2555,11 +2592,11 @@
#
template(`userdom_user_home_dir_filetrans_user_home_content',`
gen_require(`
@@ -31619,7 +31693,7 @@
')
########################################
-@@ -2589,11 +2630,11 @@
+@@ -2589,11 +2626,11 @@
#
template(`userdom_write_user_tmp_sockets',`
gen_require(`
@@ -31633,7 +31707,7 @@
')
########################################
-@@ -2623,11 +2664,11 @@
+@@ -2623,11 +2660,11 @@
#
template(`userdom_list_user_tmp',`
gen_require(`
@@ -31647,7 +31721,7 @@
')
########################################
-@@ -2659,10 +2700,10 @@
+@@ -2659,10 +2696,10 @@
#
template(`userdom_dontaudit_list_user_tmp',`
gen_require(`
@@ -31660,7 +31734,7 @@
')
########################################
-@@ -2694,10 +2735,10 @@
+@@ -2694,10 +2731,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_dirs',`
gen_require(`
@@ -31673,7 +31747,7 @@
')
########################################
-@@ -2727,12 +2768,12 @@
+@@ -2727,12 +2764,12 @@
#
template(`userdom_read_user_tmp_files',`
gen_require(`
@@ -31689,7 +31763,7 @@
')
########################################
-@@ -2764,10 +2805,10 @@
+@@ -2764,10 +2801,10 @@
#
template(`userdom_dontaudit_read_user_tmp_files',`
gen_require(`
@@ -31702,7 +31776,7 @@
')
########################################
-@@ -2799,10 +2840,10 @@
+@@ -2799,10 +2836,10 @@
#
template(`userdom_dontaudit_append_user_tmp_files',`
gen_require(`
@@ -31715,7 +31789,7 @@
')
########################################
-@@ -2832,12 +2873,12 @@
+@@ -2832,12 +2869,12 @@
#
template(`userdom_rw_user_tmp_files',`
gen_require(`
@@ -31731,7 +31805,7 @@
')
########################################
-@@ -2869,10 +2910,10 @@
+@@ -2869,10 +2906,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_files',`
gen_require(`
@@ -31744,7 +31818,7 @@
')
########################################
-@@ -2904,12 +2945,12 @@
+@@ -2904,12 +2941,12 @@
#
template(`userdom_read_user_tmp_symlinks',`
gen_require(`
@@ -31760,7 +31834,7 @@
')
########################################
-@@ -2941,11 +2982,11 @@
+@@ -2941,11 +2978,11 @@
#
template(`userdom_manage_user_tmp_dirs',`
gen_require(`
@@ -31774,7 +31848,7 @@
')
########################################
-@@ -2977,11 +3018,11 @@
+@@ -2977,11 +3014,11 @@
#
template(`userdom_manage_user_tmp_files',`
gen_require(`
@@ -31788,7 +31862,7 @@
')
########################################
-@@ -3013,11 +3054,11 @@
+@@ -3013,11 +3050,11 @@
#
template(`userdom_manage_user_tmp_symlinks',`
gen_require(`
@@ -31802,7 +31876,7 @@
')
########################################
-@@ -3049,11 +3090,11 @@
+@@ -3049,11 +3086,11 @@
#
template(`userdom_manage_user_tmp_pipes',`
gen_require(`
@@ -31816,7 +31890,7 @@
')
########################################
-@@ -3085,11 +3126,11 @@
+@@ -3085,11 +3122,11 @@
#
template(`userdom_manage_user_tmp_sockets',`
gen_require(`
@@ -31830,7 +31904,7 @@
')
########################################
-@@ -3134,10 +3175,10 @@
+@@ -3134,10 +3171,10 @@
#
template(`userdom_user_tmp_filetrans',`
gen_require(`
@@ -31843,7 +31917,7 @@
files_search_tmp($2)
')
-@@ -3178,19 +3219,19 @@
+@@ -3178,19 +3215,19 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -31867,7 +31941,7 @@
## </p>
## <p>
## This is a templated interface, and should only
-@@ -3211,13 +3252,13 @@
+@@ -3211,13 +3248,13 @@
#
template(`userdom_rw_user_tmpfs_files',`
gen_require(`
@@ -31885,7 +31959,7 @@
')
########################################
-@@ -4616,11 +4657,11 @@
+@@ -4616,11 +4653,11 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -31899,7 +31973,7 @@
')
########################################
-@@ -4640,6 +4681,14 @@
+@@ -4640,6 +4677,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -31914,7 +31988,7 @@
')
########################################
-@@ -4677,6 +4726,8 @@
+@@ -4677,6 +4722,8 @@
')
dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
@@ -31923,7 +31997,7 @@
')
########################################
-@@ -4721,6 +4772,25 @@
+@@ -4721,6 +4768,25 @@
########################################
## <summary>
@@ -31949,7 +32023,7 @@
## Create, read, write, and delete all files
## in all users home directories.
## </summary>
-@@ -4946,7 +5016,7 @@
+@@ -4946,7 +5012,7 @@
########################################
## <summary>
@@ -31958,103 +32032,11 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -5318,7 +5388,7 @@
+@@ -5318,6 +5384,42 @@
########################################
## <summary>
--## Read and write unprivileged user ttys.
+## Write all unprivileged users files in /tmp
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5326,18 +5396,17 @@
- ## </summary>
- ## </param>
- #
--interface(`userdom_use_unpriv_users_ttys',`
-+interface(`userdom_manage_unpriv_users_tmp_files',`
- gen_require(`
-- attribute user_ttynode;
-+ type user_tmp_t;
- ')
-
-- allow $1 user_ttynode:chr_file rw_term_perms;
-+ manage_files_pattern($1, user_tmp_t, user_tmp_t)
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to use unprivileged
--## user ttys.
-+## Write all unprivileged users lnk_files in /tmp
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5345,17 +5414,17 @@
- ## </summary>
- ## </param>
- #
--interface(`userdom_dontaudit_use_unpriv_users_ttys',`
-+interface(`userdom_manage_unpriv_users_tmp_symlinks',`
- gen_require(`
-- attribute user_ttynode;
-+ type user_tmp_t;
- ')
-
-- dontaudit $1 user_ttynode:chr_file rw_file_perms;
-+ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
- ')
-
- ########################################
- ## <summary>
--## Read the process state of all user domains.
-+## Read and write unprivileged user ttys.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5363,18 +5432,18 @@
- ## </summary>
- ## </param>
- #
--interface(`userdom_read_all_users_state',`
-+interface(`userdom_use_unpriv_users_ttys',`
- gen_require(`
-- attribute userdomain;
-+ attribute user_ttynode;
- ')
-
-- read_files_pattern($1,userdomain,userdomain)
-- kernel_search_proc($1)
-+ allow $1 user_ttynode:chr_file rw_term_perms;
- ')
-
- ########################################
- ## <summary>
--## Get the attributes of all user domains.
-+## Do not audit attempts to use unprivileged
-+## user ttys.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5382,17 +5451,54 @@
- ## </summary>
- ## </param>
- #
--interface(`userdom_getattr_all_users',`
-+interface(`userdom_dontaudit_use_unpriv_users_ttys',`
- gen_require(`
-- attribute userdomain;
-+ attribute user_ttynode;
- ')
-
-- allow $1 userdomain:process getattr;
-+ dontaudit $1 user_ttynode:chr_file rw_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Inherit the file descriptors from all user domains
-+## Read the process state of all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -32062,18 +32044,17 @@
+## </summary>
+## </param>
+#
-+interface(`userdom_read_all_users_state',`
++interface(`userdom_manage_unpriv_users_tmp_files',`
+ gen_require(`
-+ attribute userdomain;
++ type user_tmp_t;
+ ')
+
-+ ps_process_pattern($1, userdomain)
-+ kernel_search_proc($1)
++ manage_files_pattern($1, user_tmp_t, user_tmp_t)
+')
+
+########################################
+## <summary>
-+## Get the attributes of all user domains.
++## Write all unprivileged users lnk_files in /tmp
+## </summary>
+## <param name="domain">
+## <summary>
@@ -32081,24 +32062,33 @@
+## </summary>
+## </param>
+#
-+interface(`userdom_getattr_all_users',`
++interface(`userdom_manage_unpriv_users_tmp_symlinks',`
+ gen_require(`
-+ attribute userdomain;
++ type user_tmp_t;
+ ')
+
-+ allow $1 userdomain:process getattr;
++ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
+')
+
+########################################
+## <summary>
-+## Inherit the file descriptors from all user domains
+ ## Read and write unprivileged user ttys.
## </summary>
## <param name="domain">
- ## <summary>
-@@ -5483,6 +5589,42 @@
+@@ -5368,7 +5470,7 @@
+ attribute userdomain;
+ ')
+
+- read_files_pattern($1,userdomain,userdomain)
++ ps_process_pattern($1, userdomain)
+ kernel_search_proc($1)
+ ')
+
+@@ -5483,7 +5585,43 @@
########################################
## <summary>
+-## Send a dbus message to all user domains.
+## Manage keys for all user domains.
+## </summary>
+## <param name="domain">
@@ -32135,10 +32125,11 @@
+
+########################################
+## <summary>
- ## Send a dbus message to all user domains.
++## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5513,3 +5655,548 @@
+ ## <summary>
+@@ -5513,3 +5651,548 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -32689,7 +32680,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.5.13/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2008-10-14 11:58:09.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/userdomain.te 2008-10-17 10:31:27.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/system/userdomain.te 2008-10-27 09:04:14.000000000 -0400
@@ -8,13 +8,6 @@
## <desc>
@@ -32731,7 +32722,7 @@
# The privhome attribute identifies every domain that can create files under
# regular user home directories in the regular context (IE act on behalf of
# a user in writing regular files)
-@@ -81,6 +73,76 @@
+@@ -81,6 +73,75 @@
# unprivileged user domains
attribute unpriv_userdomain;
@@ -32807,7 +32798,6 @@
+ manage_sock_files_pattern(privhome, cifs_t, cifs_t)
+ manage_fifo_files_pattern(privhome, cifs_t, cifs_t)
+')
-+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.5.13/policy/modules/system/xen.fc
--- nsaserefpolicy/policy/modules/system/xen.fc 2008-08-07 11:15:12.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/system/xen.fc 2008-10-17 10:31:27.000000000 -0400
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.734
retrieving revision 1.735
diff -u -r1.734 -r1.735
--- selinux-policy.spec 25 Oct 2008 11:14:56 -0000 1.734
+++ selinux-policy.spec 27 Oct 2008 21:07:05 -0000 1.735
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.5.13
-Release: 8%{?dist}
+Release: 9%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -462,6 +462,9 @@
%endif
%changelog
+* Mon Oct 27 2008 Dan Walsh <dwalsh at redhat.com> 3.5.13-9
+- Allow openoffice execstack/execmem privs
+
* Fri Oct 24 2008 Dan Walsh <dwalsh at redhat.com> 3.5.13-8
- Allow mozilla to run with unconfined_execmem_t
More information about the scm-commits
mailing list