rpms/selinux-policy/F-13 policy-F13.patch, 1.103, 1.104 selinux-policy.spec, 1.1007, 1.1008
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Apr 29 17:33:15 UTC 2010
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-13
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv9864
Modified Files:
policy-F13.patch selinux-policy.spec
Log Message:
* Thu Apr 29 2010 Dan Walsh <dwalsh at redhat.com> 3.7.19-9
- Fixups for xguest policy
- Fixes for running sandbox firefox
Resolves: #587263
policy-F13.patch:
Makefile | 2
policy/global_tunables | 24
policy/mls | 2
policy/modules/admin/accountsd.fc | 4
policy/modules/admin/accountsd.if | 164 +++
policy/modules/admin/accountsd.te | 55 +
policy/modules/admin/acct.te | 1
policy/modules/admin/alsa.te | 2
policy/modules/admin/anaconda.te | 4
policy/modules/admin/certwatch.te | 2
policy/modules/admin/consoletype.if | 3
policy/modules/admin/consoletype.te | 1
policy/modules/admin/firstboot.te | 7
policy/modules/admin/kismet.te | 1
policy/modules/admin/logrotate.te | 42
policy/modules/admin/mcelog.te | 2
policy/modules/admin/mrtg.te | 1
policy/modules/admin/netutils.fc | 1
policy/modules/admin/netutils.te | 20
policy/modules/admin/prelink.fc | 4
policy/modules/admin/prelink.if | 28
policy/modules/admin/prelink.te | 78 +
policy/modules/admin/quota.te | 1
policy/modules/admin/readahead.te | 4
policy/modules/admin/rpm.fc | 21
policy/modules/admin/rpm.if | 387 +++++++
policy/modules/admin/rpm.te | 106 +-
policy/modules/admin/shorewall.te | 6
policy/modules/admin/shutdown.fc | 5
policy/modules/admin/shutdown.if | 118 ++
policy/modules/admin/shutdown.te | 57 +
policy/modules/admin/su.if | 11
policy/modules/admin/sudo.if | 9
policy/modules/admin/tmpreaper.te | 24
policy/modules/admin/usermanage.if | 20
policy/modules/admin/usermanage.te | 21
policy/modules/admin/vbetool.te | 6
policy/modules/admin/vpn.te | 8
policy/modules/apps/chrome.fc | 3
policy/modules/apps/chrome.if | 90 +
policy/modules/apps/chrome.te | 86 +
policy/modules/apps/cpufreqselector.te | 2
policy/modules/apps/execmem.fc | 47
policy/modules/apps/execmem.if | 110 ++
policy/modules/apps/execmem.te | 11
policy/modules/apps/firewallgui.fc | 3
policy/modules/apps/firewallgui.if | 23
policy/modules/apps/firewallgui.te | 66 +
policy/modules/apps/gitosis.if | 2
policy/modules/apps/gnome.fc | 24
policy/modules/apps/gnome.if | 438 ++++++++
policy/modules/apps/gnome.te | 116 ++
policy/modules/apps/gpg.fc | 1
policy/modules/apps/gpg.if | 77 +
policy/modules/apps/gpg.te | 114 ++
policy/modules/apps/irc.fc | 7
policy/modules/apps/irc.if | 37
policy/modules/apps/irc.te | 104 ++
policy/modules/apps/java.fc | 7
policy/modules/apps/java.if | 4
policy/modules/apps/java.te | 9
policy/modules/apps/kdumpgui.fc | 2
policy/modules/apps/kdumpgui.if | 2
policy/modules/apps/kdumpgui.te | 68 +
policy/modules/apps/livecd.fc | 2
policy/modules/apps/livecd.if | 108 ++
policy/modules/apps/livecd.te | 34
policy/modules/apps/loadkeys.if | 3
policy/modules/apps/loadkeys.te | 6
policy/modules/apps/mono.if | 5
policy/modules/apps/mozilla.fc | 2
policy/modules/apps/mozilla.if | 62 +
policy/modules/apps/mozilla.te | 22
policy/modules/apps/mplayer.if | 36
policy/modules/apps/mplayer.te | 29
policy/modules/apps/nsplugin.fc | 10
policy/modules/apps/nsplugin.if | 391 +++++++
policy/modules/apps/nsplugin.te | 297 +++++
policy/modules/apps/openoffice.fc | 3
policy/modules/apps/openoffice.if | 129 ++
policy/modules/apps/openoffice.te | 17
policy/modules/apps/podsleuth.te | 3
policy/modules/apps/pulseaudio.fc | 1
policy/modules/apps/pulseaudio.if | 39
policy/modules/apps/pulseaudio.te | 2
policy/modules/apps/qemu.if | 84 +
policy/modules/apps/qemu.te | 11
policy/modules/apps/sambagui.fc | 1
policy/modules/apps/sambagui.if | 2
policy/modules/apps/sambagui.te | 66 +
policy/modules/apps/sandbox.fc | 1
policy/modules/apps/sandbox.if | 292 +++++
policy/modules/apps/sandbox.te | 382 +++++++
policy/modules/apps/seunshare.if | 78 -
policy/modules/apps/seunshare.te | 35
policy/modules/apps/slocate.te | 4
policy/modules/apps/telepathysofiasip.fc | 2
policy/modules/apps/telepathysofiasip.if | 69 +
policy/modules/apps/telepathysofiasip.te | 45
policy/modules/apps/userhelper.fc | 1
policy/modules/apps/userhelper.if | 56 +
policy/modules/apps/userhelper.te | 42
policy/modules/apps/vmware.if | 19
policy/modules/apps/vmware.te | 13
policy/modules/apps/wine.fc | 1
policy/modules/apps/wine.if | 11
policy/modules/apps/wine.te | 22
policy/modules/apps/wm.if | 16
policy/modules/kernel/corecommands.fc | 31
policy/modules/kernel/corecommands.if | 2
policy/modules/kernel/corenetwork.te.in | 29
policy/modules/kernel/devices.fc | 1
policy/modules/kernel/devices.if | 91 +
policy/modules/kernel/devices.te | 12
policy/modules/kernel/domain.if | 63 +
policy/modules/kernel/domain.te | 109 ++
policy/modules/kernel/files.fc | 20
policy/modules/kernel/files.if | 653 ++++++++++++
policy/modules/kernel/files.te | 13
policy/modules/kernel/filesystem.if | 176 +++
policy/modules/kernel/filesystem.te | 11
policy/modules/kernel/kernel.if | 107 ++
policy/modules/kernel/kernel.te | 34
policy/modules/kernel/selinux.if | 25
policy/modules/kernel/storage.if | 22
policy/modules/kernel/terminal.if | 29
policy/modules/roles/auditadm.te | 3
policy/modules/roles/guest.te | 6
policy/modules/roles/staff.te | 117 ++
policy/modules/roles/sysadm.te | 98 +
policy/modules/roles/unconfineduser.fc | 10
policy/modules/roles/unconfineduser.if | 667 ++++++++++++
policy/modules/roles/unconfineduser.te | 434 ++++++++
policy/modules/roles/unprivuser.te | 23
policy/modules/roles/xguest.te | 75 +
policy/modules/services/abrt.fc | 8
policy/modules/services/abrt.if | 143 ++
policy/modules/services/abrt.te | 157 ++-
policy/modules/services/afs.te | 5
policy/modules/services/aiccu.fc | 5
policy/modules/services/aiccu.if | 119 ++
policy/modules/services/aiccu.te | 41
policy/modules/services/aisexec.fc | 10
policy/modules/services/aisexec.if | 106 ++
policy/modules/services/aisexec.te | 115 ++
policy/modules/services/apache.fc | 16
policy/modules/services/apache.if | 142 ++
policy/modules/services/apache.te | 230 ++++
policy/modules/services/apcupsd.te | 4
policy/modules/services/arpwatch.te | 4
policy/modules/services/asterisk.if | 19
policy/modules/services/asterisk.te | 45
policy/modules/services/automount.te | 1
policy/modules/services/avahi.if | 1
policy/modules/services/boinc.fc | 6
policy/modules/services/boinc.if | 151 ++
policy/modules/services/boinc.te | 92 +
policy/modules/services/bugzilla.fc | 4
policy/modules/services/bugzilla.if | 39
policy/modules/services/bugzilla.te | 57 +
policy/modules/services/cachefilesd.fc | 29
policy/modules/services/cachefilesd.if | 41
policy/modules/services/cachefilesd.te | 147 ++
policy/modules/services/ccs.te | 10
policy/modules/services/certmonger.fc | 6
policy/modules/services/certmonger.if | 217 ++++
policy/modules/services/certmonger.te | 74 +
policy/modules/services/cgroup.fc | 9
policy/modules/services/cgroup.if | 35
policy/modules/services/cgroup.te | 87 +
policy/modules/services/clamav.te | 19
policy/modules/services/clogd.fc | 4
policy/modules/services/clogd.if | 82 +
policy/modules/services/clogd.te | 65 +
policy/modules/services/cobbler.if | 4
policy/modules/services/cobbler.te | 12
policy/modules/services/consolekit.fc | 4
policy/modules/services/consolekit.if | 39
policy/modules/services/consolekit.te | 34
policy/modules/services/corosync.fc | 15
policy/modules/services/corosync.if | 108 ++
policy/modules/services/corosync.te | 122 ++
policy/modules/services/cron.fc | 6
policy/modules/services/cron.if | 99 +
policy/modules/services/cron.te | 94 +
policy/modules/services/cups.fc | 14
policy/modules/services/cups.te | 65 +
policy/modules/services/cvs.te | 2
policy/modules/services/cyrus.te | 2
policy/modules/services/dbus.if | 107 +-
policy/modules/services/dbus.te | 21
policy/modules/services/denyhosts.fc | 7
policy/modules/services/denyhosts.if | 87 +
policy/modules/services/denyhosts.te | 73 +
policy/modules/services/devicekit.fc | 8
policy/modules/services/devicekit.if | 22
policy/modules/services/devicekit.te | 101 +
policy/modules/services/dhcp.te | 4
policy/modules/services/djbdns.if | 38
policy/modules/services/djbdns.te | 8
policy/modules/services/dnsmasq.fc | 2
policy/modules/services/dnsmasq.if | 4
policy/modules/services/dnsmasq.te | 22
policy/modules/services/dovecot.fc | 6
policy/modules/services/dovecot.te | 46
policy/modules/services/fail2ban.if | 20
policy/modules/services/fprintd.te | 2
policy/modules/services/ftp.fc | 2
policy/modules/services/ftp.if | 38
policy/modules/services/ftp.te | 179 +++
policy/modules/services/git.fc | 9
policy/modules/services/git.if | 533 ++++++++++
policy/modules/services/git.te | 190 +++
policy/modules/services/hal.if | 22
policy/modules/services/hal.te | 33
policy/modules/services/inn.te | 1
policy/modules/services/kerberos.if | 6
policy/modules/services/kerberos.te | 3
policy/modules/services/ksmtuned.te | 3
policy/modules/services/ldap.fc | 3
policy/modules/services/ldap.if | 81 +
policy/modules/services/ldap.te | 13
policy/modules/services/lircd.te | 23
policy/modules/services/milter.if | 20
policy/modules/services/milter.te | 8
policy/modules/services/modemmanager.te | 9
policy/modules/services/mta.fc | 2
policy/modules/services/mta.if | 68 +
policy/modules/services/mta.te | 24
policy/modules/services/munin.fc | 58 +
policy/modules/services/munin.if | 66 +
policy/modules/services/munin.te | 169 +++
policy/modules/services/mysql.te | 3
policy/modules/services/nagios.fc | 83 +
policy/modules/services/nagios.if | 142 ++
policy/modules/services/nagios.te | 283 ++++-
policy/modules/services/networkmanager.fc | 20
policy/modules/services/networkmanager.if | 107 ++
policy/modules/services/networkmanager.te | 125 ++
policy/modules/services/nis.fc | 10
policy/modules/services/nis.if | 78 +
policy/modules/services/nis.te | 21
policy/modules/services/nscd.if | 20
policy/modules/services/nscd.te | 27
policy/modules/services/nslcd.te | 2
policy/modules/services/ntop.te | 32
policy/modules/services/ntp.te | 2
policy/modules/services/nut.te | 4
policy/modules/services/nx.fc | 12
policy/modules/services/nx.if | 67 +
policy/modules/services/nx.te | 13
policy/modules/services/oddjob.if | 1
policy/modules/services/oddjob.te | 5
policy/modules/services/oident.te | 1
policy/modules/services/openvpn.te | 7
policy/modules/services/pegasus.te | 28
policy/modules/services/plymouthd.fc | 9
policy/modules/services/plymouthd.if | 322 ++++++
policy/modules/services/plymouthd.te | 107 ++
policy/modules/services/policykit.fc | 5
policy/modules/services/policykit.if | 71 +
policy/modules/services/policykit.te | 84 +
policy/modules/services/postfix.fc | 2
policy/modules/services/postfix.if | 187 +++
policy/modules/services/postfix.te | 149 ++
policy/modules/services/ppp.te | 4
policy/modules/services/procmail.fc | 2
policy/modules/services/procmail.te | 26
policy/modules/services/pyzor.fc | 4
policy/modules/services/pyzor.if | 47
policy/modules/services/pyzor.te | 37
policy/modules/services/qpidd.fc | 9
policy/modules/services/qpidd.if | 236 ++++
policy/modules/services/qpidd.te | 61 +
policy/modules/services/razor.fc | 1
policy/modules/services/razor.if | 42
policy/modules/services/razor.te | 32
policy/modules/services/rgmanager.fc | 8
policy/modules/services/rgmanager.if | 98 +
policy/modules/services/rgmanager.te | 226 ++++
policy/modules/services/rhcs.fc | 23
policy/modules/services/rhcs.if | 424 ++++++++
policy/modules/services/rhcs.te | 239 ++++
policy/modules/services/ricci.te | 39
policy/modules/services/rlogin.fc | 3
policy/modules/services/rlogin.te | 1
policy/modules/services/rpc.if | 1
policy/modules/services/rpc.te | 15
policy/modules/services/rsync.if | 4
policy/modules/services/rsync.te | 26
policy/modules/services/rtkit.if | 21
policy/modules/services/samba.fc | 4
policy/modules/services/samba.if | 138 ++
policy/modules/services/samba.te | 123 +-
policy/modules/services/sasl.te | 3
policy/modules/services/sendmail.if | 19
policy/modules/services/sendmail.te | 15
policy/modules/services/setroubleshoot.fc | 2
policy/modules/services/setroubleshoot.if | 124 ++
policy/modules/services/setroubleshoot.te | 91 +
policy/modules/services/smartmon.te | 2
policy/modules/services/snmp.te | 3
policy/modules/services/snort.te | 4
policy/modules/services/spamassassin.fc | 15
policy/modules/services/spamassassin.if | 107 ++
policy/modules/services/spamassassin.te | 141 ++
policy/modules/services/squid.te | 21
policy/modules/services/ssh.fc | 2
policy/modules/services/ssh.if | 88 +
policy/modules/services/ssh.te | 53 -
policy/modules/services/sssd.te | 2
policy/modules/services/tgtd.te | 4
policy/modules/services/tuned.te | 5
policy/modules/services/ucspitcp.te | 5
policy/modules/services/varnishd.if | 19
policy/modules/services/vhostmd.te | 2
policy/modules/services/virt.fc | 6
policy/modules/services/virt.if | 58 -
policy/modules/services/virt.te | 81 +
policy/modules/services/w3c.te | 7
policy/modules/services/xserver.fc | 58 -
policy/modules/services/xserver.if | 393 +++++++
policy/modules/services/xserver.te | 398 ++++++-
policy/modules/system/application.te | 15
policy/modules/system/authlogin.fc | 1
policy/modules/system/authlogin.if | 52 -
policy/modules/system/daemontools.if | 62 +
policy/modules/system/daemontools.te | 26
policy/modules/system/fstools.fc | 2
policy/modules/system/fstools.te | 8
policy/modules/system/getty.te | 2
policy/modules/system/hostname.te | 3
policy/modules/system/init.fc | 3
policy/modules/system/init.if | 146 ++
policy/modules/system/init.te | 205 +++
policy/modules/system/ipsec.te | 16
policy/modules/system/iptables.fc | 4
policy/modules/system/iptables.if | 4
policy/modules/system/iptables.te | 15
policy/modules/system/libraries.fc | 148 ++
policy/modules/system/libraries.te | 8
policy/modules/system/locallogin.te | 40
policy/modules/system/logging.fc | 16
policy/modules/system/logging.if | 43
policy/modules/system/logging.te | 23
policy/modules/system/lvm.fc | 1
policy/modules/system/lvm.if | 2
policy/modules/system/lvm.te | 21
policy/modules/system/modutils.te | 14
policy/modules/system/mount.fc | 8
policy/modules/system/mount.if | 138 ++
policy/modules/system/mount.te | 148 ++
policy/modules/system/raid.te | 1
policy/modules/system/selinuxutil.fc | 17
policy/modules/system/selinuxutil.if | 330 ++++++
policy/modules/system/selinuxutil.te | 242 +---
policy/modules/system/sosreport.fc | 2
policy/modules/system/sosreport.if | 113 ++
policy/modules/system/sosreport.te | 128 ++
policy/modules/system/sysnetwork.fc | 2
policy/modules/system/sysnetwork.if | 96 +
policy/modules/system/sysnetwork.te | 19
policy/modules/system/udev.fc | 1
policy/modules/system/udev.if | 19
policy/modules/system/udev.te | 13
policy/modules/system/unconfined.fc | 14
policy/modules/system/unconfined.if | 440 --------
policy/modules/system/unconfined.te | 224 ----
policy/modules/system/userdomain.fc | 9
policy/modules/system/userdomain.if | 1550 ++++++++++++++++++++++++------
policy/modules/system/userdomain.te | 50
policy/modules/system/xen.if | 3
policy/modules/system/xen.te | 11
policy/support/misc_patterns.spt | 8
policy/support/obj_perm_sets.spt | 35
policy/users | 17
376 files changed, 21217 insertions(+), 2078 deletions(-)
Index: policy-F13.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-13/policy-F13.patch,v
retrieving revision 1.103
retrieving revision 1.104
diff -u -p -r1.103 -r1.104
--- policy-F13.patch 28 Apr 2010 21:49:28 -0000 1.103
+++ policy-F13.patch 29 Apr 2010 17:33:13 -0000 1.104
@@ -50,8 +50,15 @@ diff --exclude-from=exclude -N -u -r nsa
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-3.7.19/policy/mls
--- nsaserefpolicy/policy/mls 2010-03-08 14:49:44.000000000 -0500
-+++ serefpolicy-3.7.19/policy/mls 2010-04-14 10:48:18.000000000 -0400
-@@ -214,6 +214,7 @@
++++ serefpolicy-3.7.19/policy/mls 2010-04-29 13:30:49.000000000 -0400
+@@ -208,12 +208,14 @@
+ (( l1 eq l2 ) or
+ (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
+ (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
++ ( t2 == mlstrustedobject ) or
+ ( t1 == mlsnetwrite ));
+
+ mlsconstrain unix_dgram_socket sendto
(( l1 eq l2 ) or
(( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
@@ -5421,7 +5428,7 @@ diff --exclude-from=exclude -N -u -r nsa
/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.7.19/policy/modules/apps/pulseaudio.if
--- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2010-03-29 15:04:22.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/apps/pulseaudio.if 2010-04-27 10:22:12.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/apps/pulseaudio.if 2010-04-29 10:59:16.000000000 -0400
@@ -186,6 +186,25 @@
########################################
@@ -5726,8 +5733,8 @@ diff --exclude-from=exclude -N -u -r nsa
+# No types are sandbox_exec_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.19/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.if 2010-04-27 09:54:37.000000000 -0400
-@@ -0,0 +1,287 @@
++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.if 2010-04-29 12:27:51.000000000 -0400
+@@ -0,0 +1,292 @@
+
+## <summary>policy for sandbox</summary>
+
@@ -5758,7 +5765,7 @@ diff --exclude-from=exclude -N -u -r nsa
+ allow $1 sandbox_domain:process transition;
+ dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
+ role $2 types sandbox_domain;
-+ allow sandbox_domain $1:process sigchld;
++ allow sandbox_domain $1:process { sigchld signull };
+ allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
+
+ allow $1 sandbox_x_domain:process { signal_perms transition };
@@ -5772,7 +5779,7 @@ diff --exclude-from=exclude -N -u -r nsa
+ dontaudit sandbox_xserver_t $1:udp_socket rw_socket_perms;
+ allow sandbox_xserver_t $1:unix_stream_socket { connectto rw_socket_perms };
+
-+ allow sandbox_x_domain $1:process { sigchld signal };
++ allow sandbox_x_domain $1:process { sigchld signal signull };
+ allow sandbox_x_domain sandbox_x_domain:process signal;
+ # Dontaudit leaked file descriptors
+ dontaudit sandbox_x_domain $1:fifo_file { read write };
@@ -5787,6 +5794,9 @@ diff --exclude-from=exclude -N -u -r nsa
+ manage_lnk_files_pattern($1, sandbox_file_type, sandbox_file_type);
+ relabel_dirs_pattern($1, sandbox_file_type, sandbox_file_type)
+ relabel_files_pattern($1, sandbox_file_type, sandbox_file_type)
++ relabel_lnk_files_pattern($1, sandbox_file_type, sandbox_file_type)
++ relabel_fifo_files_pattern($1, sandbox_file_type, sandbox_file_type)
++ relabel_sock_files_pattern($1, sandbox_file_type, sandbox_file_type)
+')
+
+########################################
@@ -5876,6 +5886,8 @@ diff --exclude-from=exclude -N -u -r nsa
+
+ manage_files_pattern($1_client_t, $1_client_tmpfs_t, $1_client_tmpfs_t)
+ fs_tmpfs_filetrans($1_client_t, $1_client_tmpfs_t, file )
++ # Pulseaudio tmpfs files with different MCS labels
++ dontaudit $1_client_t $1_client_tmpfs_t:file { read write };
+ allow sandbox_xserver_t $1_client_tmpfs_t:file { read write };
+
+ domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t)
@@ -6017,8 +6029,8 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.19/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-04-14 10:48:18.000000000 -0400
-@@ -0,0 +1,368 @@
++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-04-29 12:22:20.000000000 -0400
+@@ -0,0 +1,382 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -6181,7 +6193,7 @@ diff --exclude-from=exclude -N -u -r nsa
+
+dev_read_urand(sandbox_x_domain)
+dev_dontaudit_read_rand(sandbox_x_domain)
-+dev_list_sysfs(sandbox_x_domain)
++dev_read_sysfs(sandbox_x_domain)
+
+files_entrypoint_all_files(sandbox_x_domain)
+files_read_etc_files(sandbox_x_domain)
@@ -6273,6 +6285,7 @@ diff --exclude-from=exclude -N -u -r nsa
+allow sandbox_web_client_t self:capability { setuid setgid };
+allow sandbox_web_client_t self:netlink_audit_socket nlmsg_relay;
+allow sandbox_web_client_t self:process setsched;
++dontaudit sandbox_web_client_t self:process setrlimit;
+
+allow sandbox_web_client_t self:tcp_socket create_socket_perms;
+allow sandbox_web_client_t self:udp_socket create_socket_perms;
@@ -6331,12 +6344,25 @@ diff --exclude-from=exclude -N -u -r nsa
+userdom_rw_user_tmpfs_files(sandbox_web_client_t)
+
+optional_policy(`
++ hal_dbus_chat(sandbox_web_client_t)
++')
++
++optional_policy(`
+ nsplugin_read_rw_files(sandbox_web_client_t)
+ nsplugin_rw_exec(sandbox_web_client_t)
+')
+
+optional_policy(`
-+ hal_dbus_chat(sandbox_web_client_t)
++ pulseaudio_stream_connect(sandbox_web_client_t)
++ allow sandbox_web_client_t self:netlink_kobject_uevent_socket create_socket_perms;
++')
++
++optional_policy(`
++ rtkit_daemon_dontaudit_dbus_chat(sandbox_web_client_t)
++')
++
++optional_policy(`
++ networkmanager_dontaudit_dbus_chat(sandbox_web_client_t)
+')
+
+########################################
@@ -7143,7 +7169,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-04-13 14:43:42.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in 2010-04-21 12:35:46.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in 2010-04-29 12:54:00.000000000 -0400
@@ -25,6 +25,7 @@
#
type tun_tap_device_t;
@@ -7265,7 +7291,7 @@ diff --exclude-from=exclude -N -u -r nsa
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
network_port(swat, tcp,901,s0)
network_port(syslogd, udp,514,s0)
-@@ -201,7 +220,7 @@
+@@ -201,13 +220,13 @@
network_port(varnishd, tcp,6081,s0, tcp,6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -7274,6 +7300,13 @@ diff --exclude-from=exclude -N -u -r nsa
network_port(wccp, udp,2048,s0)
network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
network_port(xdmcp, udp,177,s0, tcp,177,s0)
+ network_port(xen, tcp,8002,s0)
+ network_port(xfs, tcp,7100,s0)
+-network_port(xserver, tcp,6000-6020,s0)
++network_port(xserver, tcp,6000-6150,s0)
+ network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
+ network_port(zope, tcp,8021,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.7.19/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2010-03-05 10:46:32.000000000 -0500
+++ serefpolicy-3.7.19/policy/modules/kernel/devices.fc 2010-04-14 10:48:18.000000000 -0400
@@ -9083,8 +9116,46 @@ diff --exclude-from=exclude -N -u -r nsa
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.19/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2010-03-18 06:48:09.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/kernel/kernel.if 2010-04-27 09:14:39.000000000 -0400
-@@ -1959,7 +1959,7 @@
++++ serefpolicy-3.7.19/policy/modules/kernel/kernel.if 2010-04-29 10:22:42.000000000 -0400
+@@ -534,6 +534,37 @@
+
+ ########################################
+ ## <summary>
++## Dontaudit caller request the kernel to load a module
++## </summary>
++## <desc>
++## <p>
++## Allow the specified domain to request that the kernel
++## load a kernel module. An example of this is the
++## auto-loading of network drivers when doing an
++## ioctl() on a network interface.
++## </p>
++## <p>
++## In the specific case of a module loading request
++## on a network interface, the domain will also
++## need the net_admin capability.
++## </p>
++## </desc>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`kernel_dontaudit_request_load_module',`
++ gen_require(`
++ type kernel_t;
++ ')
++
++ dontaudit $1 kernel_t:system module_request;
++')
++
++########################################
++## <summary>
+ ## Get information on all System V IPC objects.
+ ## </summary>
+ ## <param name="domain">
+@@ -1959,7 +1990,7 @@
')
dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -9093,7 +9164,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -2046,6 +2046,24 @@
+@@ -2046,6 +2077,24 @@
allow $1 unlabeled_t:filesystem mount;
')
@@ -9118,7 +9189,7 @@ diff --exclude-from=exclude -N -u -r nsa
########################################
## <summary>
-@@ -2195,6 +2213,24 @@
+@@ -2195,6 +2244,24 @@
########################################
## <summary>
@@ -9143,7 +9214,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Do not audit attempts by caller to get the
## attributes of an unlabeled file.
## </summary>
-@@ -2792,6 +2828,24 @@
+@@ -2792,6 +2859,24 @@
########################################
## <summary>
@@ -9168,7 +9239,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
-@@ -2807,3 +2861,23 @@
+@@ -2807,3 +2892,23 @@
typeattribute $1 kern_unconfined;
')
@@ -10718,8 +10789,8 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te 2010-04-21 11:40:24.000000000 -0400
-@@ -0,0 +1,433 @@
++++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te 2010-04-29 07:45:09.000000000 -0400
+@@ -0,0 +1,434 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -10756,7 +10827,6 @@ diff --exclude-from=exclude -N -u -r nsa
+userdom_manage_home_role(unconfined_r, unconfined_t)
+userdom_manage_tmp_role(unconfined_r, unconfined_t)
+userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
-+userdom_execmod_user_home_files(unconfined_t)
+userdom_unpriv_usertype(unconfined, unconfined_t)
+
+type unconfined_exec_t;
@@ -10828,6 +10898,10 @@ diff --exclude-from=exclude -N -u -r nsa
+ allow unconfined_t self:process execstack;
+')
+
++tunable_policy(`allow_execmod',`
++ userdom_execmod_user_home_files(unconfined_usertype)
++')
++
+tunable_policy(`unconfined_login',`
+ corecmd_shell_domtrans(unconfined_login_domain,unconfined_t)
+ allow unconfined_t unconfined_login_domain:fd use;
@@ -10848,8 +10922,6 @@ diff --exclude-from=exclude -N -u -r nsa
+ ')
+ ')
+
-+ userdom_execmod_user_home_files(unconfined_usertype)
-+
+ optional_policy(`
+ abrt_dbus_chat(unconfined_usertype)
+ abrt_run_helper(unconfined_usertype, unconfined_r)
@@ -11211,7 +11283,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.7.19/policy/modules/roles/xguest.te
--- nsaserefpolicy/policy/modules/roles/xguest.te 2010-03-10 15:28:09.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/roles/xguest.te 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/roles/xguest.te 2010-04-29 10:23:43.000000000 -0400
@@ -15,7 +15,7 @@
## <desc>
@@ -11235,7 +11307,7 @@ diff --exclude-from=exclude -N -u -r nsa
ifndef(`enable_mls',`
fs_exec_noxattr(xguest_t)
-@@ -49,6 +49,14 @@
+@@ -49,12 +49,21 @@
storage_raw_read_removable_device(xguest_t)
')
')
@@ -11243,6 +11315,7 @@ diff --exclude-from=exclude -N -u -r nsa
+mount_dontaudit_exec_fusermount(xguest_t)
+
+allow xguest_t self:process execmem;
++kernel_dontaudit_request_load_module(xguest_t)
+
+tunable_policy(`allow_execstack',`
+ allow xguest_t self:process execstack;
@@ -11250,7 +11323,14 @@ diff --exclude-from=exclude -N -u -r nsa
# Allow mounting of file systems
optional_policy(`
-@@ -63,10 +71,9 @@
+ tunable_policy(`xguest_mount_media',`
+ kernel_read_fs_sysctls(xguest_t)
+-
++ kernel_request_load_module(xguest_t)
+ files_dontaudit_getattr_boot_dirs(xguest_t)
+ files_search_mnt(xguest_t)
+
+@@ -63,10 +72,9 @@
fs_manage_noxattr_fs_dirs(xguest_t)
fs_getattr_noxattr_fs(xguest_t)
fs_read_noxattr_fs_symlinks(xguest_t)
@@ -11262,20 +11342,20 @@ diff --exclude-from=exclude -N -u -r nsa
')
')
-@@ -81,19 +88,66 @@
+@@ -81,19 +89,66 @@
')
optional_policy(`
- java_role(xguest_r, xguest_t)
+ apache_role(xguest_r, xguest_t)
++')
++
++optional_policy(`
++ java_role_template(xguest, xguest_r, xguest_t)
')
optional_policy(`
- mozilla_role(xguest_r, xguest_t)
-+ java_role_template(xguest, xguest_r, xguest_t)
-+')
-+
-+optional_policy(`
+ mono_role_template(xguest, xguest_r, xguest_t)
+')
+
@@ -11320,19 +11400,19 @@ diff --exclude-from=exclude -N -u -r nsa
+ corenet_tcp_connect_speech_port(xguest_usertype)
+ corenet_tcp_sendrecv_transproxy_port(xguest_usertype)
+ corenet_tcp_connect_transproxy_port(xguest_usertype)
-+ ')
-+')
-+
+ ')
+ ')
+
+-#gen_user(xguest_u,, xguest_r, s0, s0)
+optional_policy(`
+ gen_require(`
+ type mozilla_t;
- ')
++ ')
+
+ allow xguest_t mozilla_t:process transition;
+ role xguest_r types mozilla_t;
- ')
-
--#gen_user(xguest_u,, xguest_r, s0, s0)
++')
++
+gen_user(xguest_u, user, xguest_r, s0, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.7.19/policy/modules/services/abrt.fc
--- nsaserefpolicy/policy/modules/services/abrt.fc 2009-09-16 09:09:20.000000000 -0400
@@ -19844,8 +19924,36 @@ diff --exclude-from=exclude -N -u -r nsa
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.7.19/policy/modules/services/networkmanager.if
--- nsaserefpolicy/policy/modules/services/networkmanager.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/services/networkmanager.if 2010-04-14 10:48:18.000000000 -0400
-@@ -118,6 +118,24 @@
++++ serefpolicy-3.7.19/policy/modules/services/networkmanager.if 2010-04-29 12:21:46.000000000 -0400
+@@ -100,6 +100,27 @@
+
+ ########################################
+ ## <summary>
++## Send and receive messages from
++## NetworkManager over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`networkmanager_dontaudit_dbus_chat',`
++ gen_require(`
++ type NetworkManager_t;
++ class dbus send_msg;
++ ')
++
++ dontaudit $1 NetworkManager_t:dbus send_msg;
++ dontaudit NetworkManager_t $1:dbus send_msg;
++')
++
++########################################
++## <summary>
+ ## Send a generic signal to NetworkManager
+ ## </summary>
+ ## <param name="domain">
+@@ -118,6 +139,24 @@
########################################
## <summary>
@@ -19870,7 +19978,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Read NetworkManager PID files.
## </summary>
## <param name="domain">
-@@ -134,3 +152,71 @@
+@@ -134,3 +173,71 @@
files_search_pids($1)
allow $1 NetworkManager_var_run_t:file read_file_perms;
')
@@ -24378,6 +24486,37 @@ diff --exclude-from=exclude -N -u -r nsa
+')
+
auth_can_read_shadow_passwords(rsync_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.if serefpolicy-3.7.19/policy/modules/services/rtkit.if
+--- nsaserefpolicy/policy/modules/services/rtkit.if 2010-03-23 10:55:15.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/rtkit.if 2010-04-29 12:22:59.000000000 -0400
+@@ -41,6 +41,27 @@
+
+ ########################################
+ ## <summary>
++## Do not audit send and receive messages from
++## rtkit_daemon over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rtkit_daemon_dontaudit_dbus_chat',`
++ gen_require(`
++ type rtkit_daemon_t;
++ class dbus send_msg;
++ ')
++
++ dontaudit $1 rtkit_daemon_t:dbus send_msg;
++ dontaudit rtkit_daemon_t $1:dbus send_msg;
++')
++
++########################################
++## <summary>
+ ## Allow rtkit to control scheduling for your process
+ ## </summary>
+ ## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.7.19/policy/modules/services/samba.fc
--- nsaserefpolicy/policy/modules/services/samba.fc 2009-07-29 15:15:33.000000000 -0400
+++ serefpolicy-3.7.19/policy/modules/services/samba.fc 2010-04-14 10:48:18.000000000 -0400
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-13/selinux-policy.spec,v
retrieving revision 1.1007
retrieving revision 1.1008
diff -u -p -r1.1007 -r1.1008
--- selinux-policy.spec 28 Apr 2010 21:49:29 -0000 1.1007
+++ selinux-policy.spec 29 Apr 2010 17:33:15 -0000 1.1008
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 8%{?dist}
+Release: 9%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -468,6 +468,11 @@ exit 0
%endif
%changelog
+* Thu Apr 29 2010 Dan Walsh <dwalsh at redhat.com> 3.7.19-9
+- Fixups for xguest policy
+- Fixes for running sandbox firefox
+Resolves: #587263
+
* Wed Apr 28 2010 Dan Walsh <dwalsh at redhat.com> 3.7.19-8
- Allow ksmtuned to use terminals
Resolves: #586663
More information about the scm-commits
mailing list