[selinux-policy/f14/master] - Allow clamscan_t execmem if clamd_use_jit set - Add policy for firefox plugin-container
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Aug 20 13:39:05 UTC 2010
commit 9d0027b8101a2f648f246337efd74ef497b89b42
Author: Dan Walsh <dwalsh at redhat.com>
Date: Fri Aug 20 09:36:34 2010 -0400
- Allow clamscan_t execmem if clamd_use_jit set
- Add policy for firefox plugin-container
policy-F14.patch | 280 +++++++++++++++++++++++++++++++++++++++++---------
selinux-policy.spec | 6 +-
2 files changed, 234 insertions(+), 52 deletions(-)
---
diff --git a/policy-F14.patch b/policy-F14.patch
index a94e99d..e7984de 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -4697,7 +4697,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.8.8/policy/modules/apps/mozilla.fc
--- nsaserefpolicy/policy/modules/apps/mozilla.fc 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/mozilla.fc 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/mozilla.fc 2010-08-19 06:50:14.000000000 -0400
@@ -1,6 +1,7 @@
HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -4706,10 +4706,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+@@ -27,3 +28,4 @@
+ /usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+ /usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+ /usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
++/usr/lib(64)?/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.8.8/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/mozilla.if 2010-07-30 14:06:53.000000000 -0400
-@@ -48,6 +48,12 @@
++++ serefpolicy-3.8.8/policy/modules/apps/mozilla.if 2010-08-19 06:49:11.000000000 -0400
+@@ -29,6 +29,8 @@
+ allow mozilla_t $2:process { sigchld signull };
+ allow mozilla_t $2:unix_stream_socket connectto;
+
++ mozilla_plugin_run(mozilla_t, $2)
++
+ # Allow the user domain to signal/ps.
+ ps_process_pattern($2, mozilla_t)
+ allow $2 mozilla_t:process signal_perms;
+@@ -48,6 +50,12 @@
mozilla_dbus_chat($2)
@@ -4722,7 +4736,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
optional_policy(`
pulseaudio_role($1, mozilla_t)
')
-@@ -108,7 +114,7 @@
+@@ -108,7 +116,7 @@
type mozilla_home_t;
')
@@ -4731,9 +4745,60 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
')
########################################
+@@ -168,6 +176,50 @@
+
+ ########################################
+ ## <summary>
++## Execute a domain transition to run mozilla_plugin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mozilla_domtrans_plugin',`
++ gen_require(`
++ type mozilla_plugin_t, mozilla_plugin_exec_t;
++ ')
++
++ domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t)
++')
++
++
++########################################
++## <summary>
++## Execute mozilla_plugin in the mozilla_plugin domain, and
++## allow the specified role the mozilla_plugin domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the mozilla_plugin domain.
++## </summary>
++## </param>
++#
++interface(`mozilla_run_plugin',`
++ gen_require(`
++ type mozilla_plugin_t;
++ ')
++
++ mozilla_domtrans_plugin($1)
++ role $2 types mozilla_plugin_t;
++')
++
++########################################
++## <summary>
+ ## Send and receive messages from
+ ## mozilla over dbus.
+ ## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.8.8/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/mozilla.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/mozilla.te 2010-08-19 06:47:05.000000000 -0400
@@ -25,6 +25,7 @@
type mozilla_home_t;
typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
@@ -4742,7 +4807,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
userdom_user_home_content(mozilla_home_t)
type mozilla_tmpfs_t;
-@@ -89,6 +90,7 @@
+@@ -33,6 +34,13 @@
+ files_tmpfs_file(mozilla_tmpfs_t)
+ ubac_constrained(mozilla_tmpfs_t)
+
++type mozilla_plugin_t;
++type mozilla_plugin_exec_t;
++application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
++role system_r types mozilla_plugin_t;
++
++permissive mozilla_plugin_t;
++
+ ########################################
+ #
+ # Local policy
+@@ -89,6 +97,7 @@
corenet_raw_sendrecv_generic_node(mozilla_t)
corenet_tcp_sendrecv_http_port(mozilla_t)
corenet_tcp_sendrecv_http_cache_port(mozilla_t)
@@ -4750,7 +4829,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
corenet_tcp_sendrecv_ftp_port(mozilla_t)
corenet_tcp_sendrecv_ipp_port(mozilla_t)
corenet_tcp_connect_http_port(mozilla_t)
-@@ -238,6 +240,7 @@
+@@ -238,6 +247,7 @@
optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
gnome_manage_config(mozilla_t)
@@ -4758,7 +4837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
')
optional_policy(`
-@@ -258,6 +261,11 @@
+@@ -258,6 +268,11 @@
')
optional_policy(`
@@ -4770,6 +4849,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
+@@ -266,3 +281,17 @@
+ optional_policy(`
+ thunderbird_domtrans(mozilla_t)
+ ')
++
++########################################
++#
++# mozilla_plugin local policy
++#
++
++allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
++allow mozilla_plugin_t self:unix_stream_socket create_stream_socket_perms;
++
++domain_use_interactive_fds(mozilla_plugin_t)
++
++files_read_etc_files(mozilla_plugin_t)
++
++miscfiles_read_localization(mozilla_plugin_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.if serefpolicy-3.8.8/policy/modules/apps/mplayer.if
--- nsaserefpolicy/policy/modules/apps/mplayer.if 2010-07-27 16:06:04.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/apps/mplayer.if 2010-07-30 14:06:53.000000000 -0400
@@ -6337,8 +6434,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.8.8/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/sandbox.te 2010-08-18 06:50:04.000000000 -0400
-@@ -0,0 +1,394 @@
++++ serefpolicy-3.8.8/policy/modules/apps/sandbox.te 2010-08-19 07:46:41.000000000 -0400
+@@ -0,0 +1,397 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -6563,6 +6660,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+ sssd_dontaudit_search_lib(sandbox_x_domain)
+')
+
++optional_policy(`
++ udev_read_db(sandbox_x_domain)
++')
++
+userdom_dontaudit_use_user_terminals(sandbox_x_domain)
+userdom_read_user_home_content_symlinks(sandbox_x_domain)
+userdom_search_user_home_content(sandbox_x_domain)
@@ -6707,7 +6808,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+
+optional_policy(`
+ udev_read_state(sandbox_web_type)
-+ udev_read_db(sandbox_web_type)
+')
+
+########################################
@@ -7065,8 +7165,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepath
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepathy.te serefpolicy-3.8.8/policy/modules/apps/telepathy.te
--- nsaserefpolicy/policy/modules/apps/telepathy.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/telepathy.te 2010-08-04 11:57:36.000000000 -0400
-@@ -0,0 +1,310 @@
++++ serefpolicy-3.8.8/policy/modules/apps/telepathy.te 2010-08-19 05:59:57.000000000 -0400
+@@ -0,0 +1,311 @@
+
+policy_module(telepathy, 1.0.0)
+
@@ -7187,6 +7287,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepath
+dev_read_urand(telepathy_gabble_t)
+
+files_read_etc_files(telepathy_gabble_t)
++files_read_usr_files(telepathy_gabble_t)
+
+miscfiles_read_certs(telepathy_gabble_t)
+
@@ -7709,7 +7810,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se
dbus_session_bus_client($1_wm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.8.8/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/corecommands.fc 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/corecommands.fc 2010-08-19 06:39:36.000000000 -0400
@@ -9,8 +9,10 @@
/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -7783,7 +7884,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
')
ifdef(`distro_suse', `
-@@ -340,3 +355,24 @@
+@@ -340,3 +355,27 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -7808,6 +7909,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
+/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
++
++/etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.8.8/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2010-07-27 16:06:04.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/kernel/corecommands.if 2010-07-30 14:06:53.000000000 -0400
@@ -9800,8 +9904,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/secadm.
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.8.8/policy/modules/roles/staff.te
--- nsaserefpolicy/policy/modules/roles/staff.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/roles/staff.te 2010-08-18 09:32:20.000000000 -0400
-@@ -8,25 +8,56 @@
++++ serefpolicy-3.8.8/policy/modules/roles/staff.te 2010-08-19 06:52:30.000000000 -0400
+@@ -8,25 +8,60 @@
role staff_r;
userdom_unpriv_user_template(staff)
@@ -9834,9 +9938,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
apache_role(staff_r, staff_t)
')
+ optional_policy(`
++ mozilla_run_plugin(staff_t, staff_r)
++')
++
+ifndef(`distro_redhat',`
+
- optional_policy(`
++optional_policy(`
auth_role(staff_r, staff_t)
')
+')
@@ -9858,7 +9966,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
bluetooth_role(staff_r, staff_t)
')
-@@ -94,12 +125,18 @@
+@@ -94,12 +129,18 @@
oident_manage_user_content(staff_t)
oident_relabel_user_content(staff_t)
')
@@ -9877,7 +9985,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
pyzor_role(staff_r, staff_t)
')
-@@ -114,22 +151,27 @@
+@@ -114,22 +155,27 @@
optional_policy(`
screen_role_template(staff, staff_r, staff_t)
')
@@ -9905,7 +10013,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
optional_policy(`
sudo_role_template(staff, staff_r, staff_t)
-@@ -141,6 +183,11 @@
+@@ -141,6 +187,11 @@
')
optional_policy(`
@@ -9917,7 +10025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
thunderbird_role(staff_r, staff_t)
')
-@@ -164,6 +211,78 @@
+@@ -164,6 +215,78 @@
wireshark_role(staff_r, staff_t)
')
@@ -11063,8 +11171,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.8.8/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/roles/unconfineduser.te 2010-08-18 09:31:43.000000000 -0400
-@@ -0,0 +1,454 @@
++++ serefpolicy-3.8.8/policy/modules/roles/unconfineduser.te 2010-08-19 06:51:51.000000000 -0400
+@@ -0,0 +1,458 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -11386,6 +11494,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+')
+
+optional_policy(`
++ mozilla_run_plugin(unconfined_usertype, unconfined_r)
++')
++
++optional_policy(`
+ ncftool_run(unconfined_t, unconfined_r)
+')
+
@@ -11521,8 +11633,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.8.8/policy/modules/roles/unprivuser.te
--- nsaserefpolicy/policy/modules/roles/unprivuser.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/roles/unprivuser.te 2010-07-30 14:06:53.000000000 -0400
-@@ -12,10 +12,13 @@
++++ serefpolicy-3.8.8/policy/modules/roles/unprivuser.te 2010-08-19 06:52:56.000000000 -0400
+@@ -12,11 +12,18 @@
userdom_unpriv_user_template(user)
@@ -11532,11 +11644,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu
apache_role(user_r, user_t)
')
-+ifndef(`distro_redhat',`
optional_policy(`
++ mozilla_run_plugin(user_t, user_r)
++')
++
++ifndef(`distro_redhat',`
++optional_policy(`
auth_role(user_r, user_t)
')
-@@ -104,12 +107,30 @@
+
+@@ -104,12 +111,30 @@
optional_policy(`
rssh_role(user_r, user_t)
')
@@ -11567,7 +11684,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu
spamassassin_role(user_r, user_t)
')
-@@ -149,6 +170,12 @@
+@@ -149,6 +174,12 @@
wireshark_role(user_r, user_t)
')
@@ -11582,7 +11699,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.8.8/policy/modules/roles/xguest.te
--- nsaserefpolicy/policy/modules/roles/xguest.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/roles/xguest.te 2010-08-06 11:01:58.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/roles/xguest.te 2010-08-19 07:42:55.000000000 -0400
@@ -14,7 +14,7 @@
## <desc>
@@ -11641,7 +11758,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.
')
')
-@@ -80,19 +88,74 @@
+@@ -76,23 +84,87 @@
+ ')
+
+ optional_policy(`
++ chrome_role(xguest_r, xguest_usertype)
++')
++
++
++optional_policy(`
+ hal_dbus_chat(xguest_t)
')
optional_policy(`
@@ -11655,11 +11781,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.
+
+optional_policy(`
+ java_role_template(xguest, xguest_r, xguest_t)
++')
++
++optional_policy(`
++ mono_role_template(xguest, xguest_r, xguest_t)
')
optional_policy(`
- mozilla_role(xguest_r, xguest_t)
-+ mono_role_template(xguest, xguest_r, xguest_t)
++ mozilla_run_plugin(xguest_t, xguest_r)
+')
+
+optional_policy(`
@@ -11703,14 +11833,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.
+ corenet_tcp_connect_speech_port(xguest_usertype)
+ corenet_tcp_sendrecv_transproxy_port(xguest_usertype)
+ corenet_tcp_connect_transproxy_port(xguest_usertype)
-+ ')
+ ')
+
+ optional_policy(`
+ telepathy_dbus_session_role(xguest_r, xguest_t)
- ')
- ')
-
--#gen_user(xguest_u,, xguest_r, s0, s0)
++ ')
++')
++
+optional_policy(`
+ gen_require(`
+ type mozilla_t;
@@ -11718,8 +11847,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.
+
+ allow xguest_t mozilla_t:process transition;
+ role xguest_r types mozilla_t;
-+')
-+
+ ')
+
+-#gen_user(xguest_u,, xguest_r, s0, s0)
+gen_user(xguest_u, user, xguest_r, s0, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.8.8/policy/modules/services/abrt.fc
--- nsaserefpolicy/policy/modules/services/abrt.fc 2010-07-27 16:06:05.000000000 -0400
@@ -12221,6 +12351,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise
optional_policy(`
ccs_stream_connect(aisexec_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.if serefpolicy-3.8.8/policy/modules/services/amavis.if
+--- nsaserefpolicy/policy/modules/services/amavis.if 2010-07-27 16:06:05.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/amavis.if 2010-08-19 05:56:46.000000000 -0400
+@@ -56,7 +56,7 @@
+ ')
+
+ files_search_spool($1)
+- allow $1 amavis_spool_t:file read_file_perms;
++ read_files_pattern($1, amavis_spool_t, amavis_spool_t)
+ ')
+
+ ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.8.8/policy/modules/services/amavis.te
--- nsaserefpolicy/policy/modules/services/amavis.te 2010-07-27 16:06:05.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/amavis.te 2010-07-30 14:06:53.000000000 -0400
@@ -12238,7 +12380,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav
# amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.8.8/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/apache.fc 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/apache.fc 2010-08-20 07:38:00.000000000 -0400
+@@ -2,7 +2,7 @@
+
+ /etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+ /etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+-/etc/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/etc/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+ /etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+ /etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+ /etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
@@ -24,7 +24,6 @@
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -12247,22 +12398,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
/usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-@@ -43,7 +42,6 @@
+@@ -43,8 +42,7 @@
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
-/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
- /usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/usr/share/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -74,6 +72,7 @@
+ /usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+@@ -74,7 +72,8 @@
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+-/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
- /var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/lib/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+ /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
@@ -86,7 +85,6 @@
/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
@@ -13809,8 +13964,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.8.8/policy/modules/services/boinc.te
--- nsaserefpolicy/policy/modules/services/boinc.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/boinc.te 2010-08-11 07:44:10.000000000 -0400
-@@ -0,0 +1,145 @@
++++ serefpolicy-3.8.8/policy/modules/services/boinc.te 2010-08-20 07:29:39.000000000 -0400
+@@ -0,0 +1,146 @@
+policy_module(boinc,1.0.0)
+
+########################################
@@ -13926,6 +14081,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+#
+
+domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
++allow boinc_t boinc_project_t:process sigkill;
+
+allow boinc_project_t self:process { ptrace setsched signal signull sigkill sigstop };
+allow boinc_project_t self:process { execmem execstack };
@@ -14612,7 +14768,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
corenet_udp_bind_chronyd_port(chronyd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.8.8/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/clamav.te 2010-08-16 07:42:43.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/clamav.te 2010-08-18 19:16:59.000000000 -0400
@@ -80,6 +80,7 @@
files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir })
@@ -14633,7 +14789,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)
-@@ -182,6 +184,9 @@
+@@ -147,8 +149,10 @@
+
+ tunable_policy(`clamd_use_jit',`
+ allow clamd_t self:process execmem;
++ allow clamscan_t self:process execmem;
+ ', `
+ dontaudit clamd_t self:process execmem;
++ dontaudit clamscan_t self:process execmem;
+ ')
+
+ ########################################
+@@ -182,6 +186,9 @@
allow freshclam_t clamd_var_log_t:dir search_dir_perms;
logging_log_filetrans(freshclam_t, freshclam_var_log_t, file)
@@ -14643,7 +14810,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
corenet_all_recvfrom_unlabeled(freshclam_t)
corenet_all_recvfrom_netlabel(freshclam_t)
corenet_tcp_sendrecv_generic_if(freshclam_t)
-@@ -189,6 +194,7 @@
+@@ -189,6 +196,7 @@
corenet_tcp_sendrecv_all_ports(freshclam_t)
corenet_tcp_sendrecv_clamd_port(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
@@ -14651,7 +14818,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
corenet_sendrecv_http_client_packets(freshclam_t)
dev_read_rand(freshclam_t)
-@@ -207,6 +213,8 @@
+@@ -207,6 +215,8 @@
clamav_stream_connect(freshclam_t)
@@ -23869,6 +24036,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlog
remotelogin_domtrans(rlogind_t)
remotelogin_signal(rlogind_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.fc serefpolicy-3.8.8/policy/modules/services/rpcbind.fc
+--- nsaserefpolicy/policy/modules/services/rpcbind.fc 2010-07-27 16:06:06.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rpcbind.fc 2010-08-20 07:30:37.000000000 -0400
+@@ -2,6 +2,7 @@
+
+ /sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0)
+
++/var/cache/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0)
+ /var/lib/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0)
+
+ /var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.8.8/policy/modules/services/rpcbind.if
--- nsaserefpolicy/policy/modules/services/rpcbind.if 2010-07-27 16:06:06.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/rpcbind.if 2010-07-30 14:06:53.000000000 -0400
@@ -35448,7 +35626,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+HOME_DIR/\.gvfs(/.*)? <<none>>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.8.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/userdomain.if 2010-08-18 09:41:31.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/userdomain.if 2010-08-19 07:42:28.000000000 -0400
@@ -30,8 +30,9 @@
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c24b841..c8087f0 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.8.8
-Release: 16%{?dist}
+Release: 17%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,10 @@ exit 0
%endif
%changelog
+* Thu Aug 18 2010 Dan Walsh <dwalsh at redhat.com> 3.8.8-17
+- Allow clamscan_t execmem if clamd_use_jit set
+- Add policy for firefox plugin-container
+
* Wed Aug 17 2010 Dan Walsh <dwalsh at redhat.com> 3.8.8-16
- Fix /root/.forward definition
More information about the scm-commits
mailing list