[selinux-policy/f12/master] - Add label for '/usr/share/sampler/tray/tray' - Fixes for abrt policy - Fixes for chrome-sandbox po
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Oct 1 07:28:23 UTC 2010
commit 3a8f668266f9888e5147a5d61dab168b5d61ef76
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Oct 1 09:27:33 2010 +0200
- Add label for '/usr/share/sampler/tray/tray'
- Fixes for abrt policy
- Fixes for chrome-sandbox policy
policy-20100106.patch | 174 +++++++++++++++++++++++++++++++++++++++++--------
selinux-policy.spec | 7 ++-
2 files changed, 153 insertions(+), 28 deletions(-)
---
diff --git a/policy-20100106.patch b/policy-20100106.patch
index 7b83d7e..6ad11b0 100644
--- a/policy-20100106.patch
+++ b/policy-20100106.patch
@@ -1394,7 +1394,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## <summary>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.6.32/policy/modules/apps/chrome.te
--- nsaserefpolicy/policy/modules/apps/chrome.te 2010-01-18 18:24:22.588542189 +0100
-+++ serefpolicy-3.6.32/policy/modules/apps/chrome.te 2010-04-13 15:01:31.593601647 +0200
++++ serefpolicy-3.6.32/policy/modules/apps/chrome.te 2010-10-01 08:33:42.677599778 +0200
@@ -23,8 +23,7 @@
#
# chrome_sandbox local policy
@@ -1420,9 +1420,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_rw_user_tmpfs_files(chrome_sandbox_t)
userdom_use_user_ptys(chrome_sandbox_t)
-@@ -59,15 +63,17 @@
+@@ -58,25 +62,30 @@
+ miscfiles_read_localization(chrome_sandbox_t)
miscfiles_read_fonts(chrome_sandbox_t)
++sysnet_dontaudit_read_config(chrome_sandbox_t)
++
optional_policy(`
- gnome_write_inherited_config(chrome_sandbox_t)
+ execmem_exec(chrome_sandbox_t)
@@ -1441,6 +1444,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
tunable_policy(`use_nfs_home_dirs',`
+- fs_dontaudit_append_nfs_files(chrome_sandbox_t)
+- fs_dontaudit_read_nfs_files(chrome_sandbox_t)
+- fs_dontaudit_read_nfs_symlinks(chrome_sandbox_t)
++ fs_search_nfs(chrome_sandbox_t)
++ fs_read_inherited_nfs_files(chrome_sandbox_t)
++ fs_read_nfs_symlinks(chrome_sandbox_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
++ fs_search_cifs(chrome_sandbox_t)
++ fs_read_inherited_cifs_files(chrome_sandbox_t)
+ fs_dontaudit_append_cifs_files(chrome_sandbox_t)
+- fs_dontaudit_read_cifs_files(chrome_sandbox_t)
+ ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.6.32/policy/modules/apps/execmem.if
--- nsaserefpolicy/policy/modules/apps/execmem.if 2010-01-18 18:24:22.590539929 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/execmem.if 2010-03-11 22:17:04.177894107 +0100
@@ -3073,7 +3090,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-01-18 18:24:22.665531100 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc 2010-09-01 14:34:55.989084677 +0200
++++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc 2010-09-30 17:44:01.683349415 +0200
@@ -166,6 +166,7 @@
/usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
@@ -3095,7 +3112,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/SAPInstance -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/SAPDatabase -- gen_context(system_u:object_r:bin_t,s0)
-@@ -237,6 +241,7 @@
+@@ -234,9 +238,11 @@
+ /usr/share/PackageKit/pk-upgrade-distro\.sh -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/PackageKit/helpers(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/sampler/tray/tray -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/sandbox/sandboxX.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/sectool/.*\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -3103,7 +3124,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -244,6 +249,7 @@
+@@ -244,6 +250,7 @@
/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/turboprint/lib(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -3111,7 +3132,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
-@@ -299,6 +305,7 @@
+@@ -299,6 +306,7 @@
/usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -4436,7 +4457,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.32/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2010-01-18 18:24:22.685530781 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/domain.te 2010-03-02 17:30:45.367615524 +0100
++++ serefpolicy-3.6.32/policy/modules/kernel/domain.te 2010-09-30 17:48:05.733351004 +0200
@@ -105,8 +105,10 @@
kernel_dontaudit_search_key(domain)
kernel_dontaudit_link_key(domain)
@@ -4449,7 +4470,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Use trusted objects in /dev
dev_rw_null(domain)
-@@ -216,8 +218,10 @@
+@@ -211,13 +213,16 @@
+ abrt_read_pid_files(domain)
+ abrt_read_state(domain)
+ abrt_signull(domain)
++ abrt_stream_connect(domain)
+ ')
+
optional_policy(`
rpm_use_fds(domain)
rpm_read_pipes(domain)
@@ -5173,8 +5200,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# compatibility aliases for removed types:
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.32/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-01-18 18:24:22.697530142 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if 2010-03-23 13:14:01.858389781 +0100
-@@ -988,6 +988,25 @@
++++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if 2010-10-01 08:23:48.728349711 +0200
+@@ -890,6 +890,24 @@
+ dontaudit $1 cifs_t:file append_file_perms;
+ ')
+
++#######################################
++## <summary>
++## Read inherited files on a CIFS or SMB filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`fs_read_inherited_cifs_files',`
++ gen_require(`
++ type cifs_t;
++ ')
++
++ allow $1 cifs_t:file read_inherited_file_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Do not audit attempts to read or
+@@ -988,6 +1006,25 @@
exec_files_pattern($1, cifs_t, cifs_t)
')
@@ -5200,7 +5252,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
## <summary>
## Create, read, write, and delete directories
-@@ -1632,6 +1651,36 @@
+@@ -1632,6 +1669,36 @@
########################################
## <summary>
@@ -5237,7 +5289,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Search inotifyfs filesystem.
## </summary>
## <param name="domain">
-@@ -1668,6 +1717,24 @@
+@@ -1668,6 +1735,24 @@
########################################
## <summary>
@@ -5262,7 +5314,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Mount an iso9660 filesystem, which
## is usually used on CDs.
## </summary>
-@@ -2010,6 +2077,25 @@
+@@ -2010,6 +2095,25 @@
exec_files_pattern($1, nfs_t, nfs_t)
')
@@ -5288,7 +5340,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
## <summary>
## Append files
-@@ -3186,6 +3272,24 @@
+@@ -2050,6 +2154,24 @@
+ dontaudit $1 nfs_t:file append_file_perms;
+ ')
+
++#######################################
++## <summary>
++## Read inherited files on a NFS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`fs_read_inherited_nfs_files',`
++ gen_require(`
++ type nfs_t;
++ ')
++
++ allow $1 nfs_t:file read_inherited_file_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Do not audit attempts to read or
+@@ -3186,6 +3308,24 @@
allow $1 rpc_pipefs_t:fifo_file rw_fifo_file_perms;
')
@@ -5313,7 +5390,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
## <summary>
## Mount a tmpfs filesystem.
-@@ -3496,6 +3600,24 @@
+@@ -3496,6 +3636,24 @@
########################################
## <summary>
@@ -5338,7 +5415,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read and write generic tmpfs files.
## </summary>
## <param name="domain">
-@@ -3722,7 +3844,7 @@
+@@ -3722,7 +3880,7 @@
########################################
## <summary>
@@ -5347,7 +5424,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
## <param name="domain">
## <summary>
-@@ -3730,17 +3852,17 @@
+@@ -3730,17 +3888,17 @@
## </summary>
## </param>
#
@@ -5368,7 +5445,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
## <param name="domain">
## <summary>
-@@ -3748,12 +3870,12 @@
+@@ -3748,12 +3906,12 @@
## </summary>
## </param>
#
@@ -5383,7 +5460,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -3891,6 +4013,44 @@
+@@ -3891,6 +4049,44 @@
allow $1 filesystem_type:filesystem unmount;
')
@@ -5428,7 +5505,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
## <summary>
## Get the attributes of all persistent
-@@ -4297,6 +4457,26 @@
+@@ -4297,6 +4493,26 @@
########################################
## <summary>
@@ -5455,7 +5532,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read and write files on cgroup
## file systems.
## </summary>
-@@ -4409,3 +4589,23 @@
+@@ -4409,3 +4625,23 @@
write_files_pattern($1, cgroup_t, cgroup_t)
')
@@ -6255,7 +6332,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.6.32/policy/modules/services/abrt.if
--- nsaserefpolicy/policy/modules/services/abrt.if 2010-01-18 18:24:22.726539977 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/abrt.if 2010-02-01 21:01:00.945160840 +0100
++++ serefpolicy-3.6.32/policy/modules/services/abrt.if 2010-09-30 17:49:13.511600481 +0200
@@ -35,6 +35,11 @@
')
@@ -6268,6 +6345,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
######################################
+@@ -214,6 +219,25 @@
+ allow $1 abrt_t:process signull;
+ ')
+
++#######################################
++## <summary>
++## Connect to abrt over an unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`abrt_stream_connect',`
++ gen_require(`
++ type abrt_t, abrt_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, abrt_var_run_t, abrt_var_run_t, abrt_t)
++')
++
+ #####################################
+ ## <summary>
+ ## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2010-01-18 18:24:22.727540243 +0100
+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2010-08-17 12:15:17.471085294 +0200
@@ -18230,7 +18333,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.32/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2010-01-18 18:24:22.941530168 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/iptables.te 2010-02-10 13:59:49.976859557 +0100
++++ serefpolicy-3.6.32/policy/modules/system/iptables.te 2010-10-01 08:59:22.987601967 +0200
@@ -52,6 +52,7 @@
kernel_use_fds(iptables_t)
@@ -18239,7 +18342,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_read_sysfs(iptables_t)
-@@ -71,6 +72,7 @@
+@@ -68,9 +69,11 @@
+
+ files_read_etc_files(iptables_t)
+ files_read_etc_runtime_files(iptables_t)
++files_read_usr_files(iptables_t)
auth_use_nsswitch(iptables_t)
@@ -18247,7 +18354,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
init_use_fds(iptables_t)
init_use_script_ptys(iptables_t)
# to allow rules to be saved on reboot:
-@@ -87,6 +89,10 @@
+@@ -87,6 +90,10 @@
userdom_use_user_terminals(iptables_t)
userdom_use_all_users_fds(iptables_t)
@@ -19303,8 +19410,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/etc/wicd/manager-settings.conf -- gen_context(system_u:object_r:net_conf_t, s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.32/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2010-01-18 18:24:22.969542320 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.if 2010-02-16 16:50:00.011598570 +0100
-@@ -430,6 +430,10 @@
++++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.if 2010-10-01 08:57:09.109598807 +0200
+@@ -72,7 +75,12 @@
+ optional_policy(`
+ ntp_run(dhcpc_t, $2)
+ ')
++
+ seutil_run_setfiles(dhcpc_t, $2)
++
++ ifdef(`hide_broken_symptoms', `
++ dontaudit dhcpc_t $1:socket_class_set { read write };
++ ')
+ ')
+
+ ########################################
+@@ -430,6 +438,10 @@
corecmd_search_bin($1)
domtrans_pattern($1, ifconfig_exec_t, ifconfig_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 62acc0a..cecf514 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 122%{?dist}
+Release: 123%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,11 @@ exit 0
%endif
%changelog
+* Fri Oct 1 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-123
+- Add label for '/usr/share/sampler/tray/tray'
+- Fixes for abrt policy
+- Fixes for chrome-sandbox policy
+
* Wed Sep 1 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-122
- Fixes for nut policy
More information about the scm-commits
mailing list