[selinux-policy: 2856/3172] Merge branch 'master' of http://oss.tresys.com/git/refpolicy

Thu Oct 7 23:14:17 UTC 2010

commit cbadf720ba59b4f705c54add75443524d71c1a4e
Merge: 02fb4a0 785ee79
Author: Dan Walsh <dwalsh at redhat.com>
Date:   Wed Sep 1 14:11:18 2010 -0400

    Merge branch 'master' of http://oss.tresys.com/git/refpolicy
    
    Conflicts:
    	policy/modules/kernel/domain.if
    	policy/modules/services/xserver.te

 Changelog                           |    1 +
 policy/modules/admin/vbetool.te     |   13 ++++++++++-
 policy/modules/apps/wine.if         |    4 +++
 policy/modules/apps/wine.te         |   13 ++++++++++-
 policy/modules/kernel/domain.if     |   40 ++++++++++++++++++++++++++++++----
 policy/modules/kernel/domain.te     |   10 +++++++-
 policy/modules/kernel/kernel.if     |   20 +++++++++++++++++
 policy/modules/services/xserver.te  |    3 +-
 policy/modules/system/mount.te      |    2 +-
 policy/modules/system/unconfined.if |    2 +-
 10 files changed, 97 insertions(+), 11 deletions(-)
---
diff --cc policy/modules/apps/wine.if
index 62e455a,0440b4c..f5a9673

--- a/policy/modules/apps/wine.if
+++ b/policy/modules/apps/wine.if
@@@ -105,17 -101,14 +105,21 @@@ template(`wine_role_template',
  	corecmd_bin_domtrans($1_wine_t, $1_t)
  
  	userdom_unpriv_usertype($1, $1_wine_t)
 -	userdom_manage_user_tmpfs_files($1_wine_t)
 +	userdom_manage_tmpfs_role($2, $1_wine_t)
  
 -	domain_mmap_low($1_wine_t)
 +	domain_mmap_low_type($1_wine_t)
 +	tunable_policy(`mmap_low_allowed',`
 +		allow $1_wine_t self:memprotect mmap_zero;
 +	')
 +
 +	tunable_policy(`wine_mmap_zero_ignore',`
 +		dontaudit $1_wine_t self:memprotect mmap_zero;
 +	')
  
+ 	tunable_policy(`wine_mmap_zero_ignore',`
+ 		dontaudit $1_wine_t self:memprotect mmap_zero;
+ 	')
+ 
  	optional_policy(`
  		xserver_role($1_r, $1_wine_t)
  	')
diff --cc policy/modules/apps/wine.te
index 6fe38a1,f9a123a..51e65e7
--- a/policy/modules/apps/wine.te
+++ b/policy/modules/apps/wine.te
@@@ -1,13 -1,5 +1,13 @@@
- policy_module(wine, 1.7.1)
+ policy_module(wine, 1.7.2)
  
 +## <desc>
 +## <p>
 +## Ignore wine mmap_zero errors
 +## </p>
 +## </desc>
 +#
 +gen_tunable(wine_mmap_zero_ignore, false)
 +
  ########################################
  #
  # Declarations
diff --cc policy/modules/kernel/domain.te
index b9c5804,099f57f..ae62211
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@@ -4,22 -4,15 +4,30 @@@ policy_module(domain, 1.8.1
  #
  # Declarations
  #
 +## <desc>
 +## <p>
 +## Allow all domains to use other domains file descriptors
 +## </p>
 +## </desc>
 +#
 +gen_tunable(allow_domain_fd_use, true)
 +
 +## <desc>
 +## <p>
 +## Allow all domains to have the kernel load modules
 +## </p>
 +## </desc>
 +#
 +gen_tunable(domain_kernel_load_modules, false)
  
+ ## <desc>
+ ## <p>
+ ##	Control the ability to mmap a low area of the address space,
+ ##	as configured by /proc/sys/kernel/mmap_min_addr.
+ ## </p>
+ ## </desc>
+ gen_tunable(mmap_low_allowed, false)
+ 
  # Mark process types as domains
  attribute domain;
  
diff --cc policy/modules/kernel/kernel.if
index d676187,ed7667a..46e9859
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@@ -698,26 -698,6 +698,46 @@@ interface(`kernel_read_debugfs',
  
  ########################################
  ## <summary>
 +##	Read/Write information from the debugging filesystem.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`kernel_rw_debugfs',`
 +	gen_require(`
 +		type debugfs_t;
 +	')
 +
 +	rw_files_pattern($1, debugfs_t, debugfs_t)
 +	read_lnk_files_pattern($1, debugfs_t, debugfs_t)
 +	list_dirs_pattern($1, debugfs_t, debugfs_t)
 +')
 +
 +########################################
 +## <summary>
++##	Manage information from the debugging filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`kernel_manage_debugfs',`
++	gen_require(`
++		type debugfs_t;
++	')
++
++	manage_files_pattern($1, debugfs_t, debugfs_t)
++	read_lnk_files_pattern($1, debugfs_t, debugfs_t)
++	list_dirs_pattern($1, debugfs_t, debugfs_t)
++')
++
++########################################
++## <summary>
  ##	Mount a kernel VM filesystem.
  ## </summary>
  ## <param name="domain">
diff --cc policy/modules/system/mount.te
index 2639086,fca6947..a2f7102
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@@ -68,23 -46,9 +68,23 @@@ can_exec(mount_t, mount_exec_t
  
  files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
  
 +manage_dirs_pattern(mount_t,mount_var_run_t,mount_var_run_t)
 +manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t)
 +files_pid_filetrans(mount_t,mount_var_run_t,dir)
 +files_var_filetrans(mount_t,mount_var_run_t,dir)
 +
 +# In order to mount reiserfs_t
 +kernel_dontaudit_getattr_core_if(mount_t)
 +kernel_list_unlabeled(mount_t)
 +kernel_mount_unlabeled(mount_t)
 +kernel_unmount_unlabeled(mount_t)
  kernel_read_system_state(mount_t)
 +kernel_read_network_state(mount_t)
  kernel_read_kernel_sysctls(mount_t)
- kernel_rw_debugfs(mount_t)
 -kernel_dontaudit_getattr_core_if(mount_t)
++kernel_manage_debugfs(mount_t)
 +kernel_setsched(mount_t)
 +kernel_use_fds(mount_t)
 +kernel_request_load_module(mount_t)
  
  # required for mount.smbfs
  corecmd_exec_bin(mount_t)
diff --cc policy/modules/system/unconfined.if
index bdb4c7b,416e668..b3da05d
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@@ -45,16 -44,6 +45,16 @@@ interface(`unconfined_domain_noaudit',
  	fs_unconfined($1)
  	selinux_unconfined($1)
  
- 	domain_mmap_low_type($1)
++	domain_mmap_low($1)
 +
 +	mls_file_read_all_levels($1)
 +
 +	ubac_process_exempt($1)
 +
 +	tunable_policy(`mmap_low_allowed',`
 +		allow $1 self:memprotect mmap_zero;
 +	')
 +
  	tunable_policy(`allow_execheap',`
  		# Allow making the stack executable via mprotect.
  		allow $1 self:process execheap;
