[selinux-policy/f14/master] - xdm needs to read KDE config files
Miroslav Grepl
mgrepl at fedoraproject.org
Sun Mar 20 21:03:09 UTC 2011
commit c42458c3dcd09700be50a351b94b37aa182ad828
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Sun Mar 20 22:02:58 2011 +0000
- xdm needs to read KDE config files
policy-F14.patch | 285 ++++++++++++++++++++++++++++-----------------------
selinux-policy.spec | 5 +-
2 files changed, 161 insertions(+), 129 deletions(-)
---
diff --git a/policy-F14.patch b/policy-F14.patch
index 0fe1337..e56fa4d 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -2774,8 +2774,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.
+/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.9.7/policy/modules/apps/execmem.if
--- nsaserefpolicy/policy/modules/apps/execmem.if 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/apps/execmem.if 2011-02-25 17:40:39.072546235 +0000
-@@ -0,0 +1,110 @@
++++ serefpolicy-3.9.7/policy/modules/apps/execmem.if 2011-03-20 21:09:28.797630001 +0000
+@@ -0,0 +1,115 @@
+## <summary>execmem domain</summary>
+
+########################################
@@ -2849,6 +2849,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.
+ chrome_role($2, $1_execmem_t)
+ ')
+
++ # needed by plasma-desktop
++ optional_policy(`
++ gnome_read_usr_config($1_execmem_t)
++ ')
++
+ optional_policy(`
+ mozilla_execmod_user_home_files($1_execmem_t)
+ ')
@@ -3066,7 +3071,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.9.7/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2010-10-12 20:42:51.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/apps/gnome.if 2011-03-18 16:41:57.494630000 +0000
++++ serefpolicy-3.9.7/policy/modules/apps/gnome.if 2011-03-20 21:38:02.629630001 +0000
@@ -37,8 +37,7 @@
########################################
@@ -3464,7 +3469,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
')
########################################
-@@ -151,40 +431,213 @@
+@@ -151,40 +431,235 @@
########################################
## <summary>
@@ -3495,7 +3500,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
## <summary>
-## manage gnome homedir content (.config)
+## manage gconf home files
- ## </summary>
++## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
@@ -3514,7 +3519,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
+########################################
+## <summary>
+## Connect to gnome over an unix stream socket.
-+## </summary>
+ ## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
@@ -3670,6 +3675,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
+ allow gconfdefaultsm_t $1:dbus send_msg;
+')
+
++
++#####################################
++## <summary>
++## Allow manage kde config content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gnome_read_usr_config',`
++ gen_require(`
++ type config_usr_t;
++ ')
++
++ files_search_usr($1)
++ list_dirs_pattern($1, config_usr_t, config_usr_t)
++ read_files_pattern($1, config_usr_t, config_usr_t)
++ read_lnk_files_pattern($1, config_usr_t, config_usr_t)
++')
++
+######################################
+## <summary>
+## Allow manage kde config content
@@ -6791,7 +6818,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.9.7/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/apps/sandbox.te 2011-03-18 13:30:06.493630001 +0000
++++ serefpolicy-3.9.7/policy/modules/apps/sandbox.te 2011-03-20 21:36:27.969630001 +0000
@@ -0,0 +1,478 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
@@ -7141,7 +7168,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+typeattribute sandbox_web_client_t sandbox_web_type;
+
+# cjp: for old sandbox
-+typeattribute sandbox_web_t sandbox_web_type;
++# typeattribute sandbox_web_t sandbox_web_type;
+
+allow sandbox_web_type self:capability { setuid setgid };
+allow sandbox_web_type self:netlink_audit_socket nlmsg_relay;
@@ -41631,7 +41658,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.9.7/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-10-12 20:42:49.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/xserver.te 2011-03-18 15:11:06.321630000 +0000
++++ serefpolicy-3.9.7/policy/modules/services/xserver.te 2011-03-20 21:15:17.322630001 +0000
@@ -26,27 +26,50 @@
#
@@ -42270,7 +42297,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -516,12 +742,59 @@
+@@ -516,12 +742,60 @@
')
optional_policy(`
@@ -42323,6 +42350,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ gnome_manage_config(xdm_t)
+ gnome_manage_gconf_home_files(xdm_t)
+ gnome_read_config(xdm_t)
++ gnome_read_usr_config(xdm_t)
+ gnome_read_gconf_config(xdm_t)
+')
+
@@ -42330,7 +42358,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
hostname_exec(xdm_t)
')
-@@ -539,28 +812,63 @@
+@@ -539,28 +813,63 @@
')
optional_policy(`
@@ -42403,7 +42431,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -572,6 +880,14 @@
+@@ -572,6 +881,14 @@
')
optional_policy(`
@@ -42418,7 +42446,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xfs_stream_connect(xdm_t)
')
-@@ -596,7 +912,7 @@
+@@ -596,7 +913,7 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -42427,7 +42455,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -610,6 +926,14 @@
+@@ -610,6 +927,14 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -42442,7 +42470,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -629,12 +953,19 @@
+@@ -629,12 +954,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -42464,7 +42492,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -642,6 +973,7 @@
+@@ -642,6 +974,7 @@
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -42472,7 +42500,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -668,7 +1000,6 @@
+@@ -668,7 +1001,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -42480,7 +42508,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -678,11 +1009,17 @@
+@@ -678,11 +1010,17 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -42498,7 +42526,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -693,8 +1030,13 @@
+@@ -693,8 +1031,13 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -42512,7 +42540,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -716,11 +1058,14 @@
+@@ -716,11 +1059,14 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -42527,7 +42555,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -773,12 +1118,28 @@
+@@ -773,12 +1119,28 @@
')
optional_policy(`
@@ -42557,7 +42585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
unconfined_domtrans(xserver_t)
')
-@@ -787,6 +1148,10 @@
+@@ -787,6 +1149,10 @@
')
optional_policy(`
@@ -42568,7 +42596,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xfs_stream_connect(xserver_t)
')
-@@ -802,10 +1167,10 @@
+@@ -802,10 +1168,10 @@
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -42582,7 +42610,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -813,7 +1178,7 @@
+@@ -813,7 +1179,7 @@
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -42591,7 +42619,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -826,6 +1191,9 @@
+@@ -826,6 +1192,9 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -42601,7 +42629,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -833,6 +1201,11 @@
+@@ -833,6 +1202,11 @@
fs_manage_nfs_symlinks(xserver_t)
')
@@ -42613,7 +42641,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(xserver_t)
fs_manage_cifs_files(xserver_t)
-@@ -841,11 +1214,14 @@
+@@ -841,11 +1215,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -42630,7 +42658,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -853,6 +1229,10 @@
+@@ -853,6 +1230,10 @@
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -42641,7 +42669,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
########################################
#
# Rules common to all X window domains
-@@ -896,7 +1276,7 @@
+@@ -896,7 +1277,7 @@
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -42650,7 +42678,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -950,11 +1330,31 @@
+@@ -950,11 +1331,31 @@
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -42682,7 +42710,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -976,18 +1376,32 @@
+@@ -976,18 +1377,32 @@
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -50026,7 +50054,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+HOME_DIR/\.debug(/.*)? <<none>>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.9.7/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/system/userdomain.if 2011-03-01 12:35:51.053466440 +0000
++++ serefpolicy-3.9.7/policy/modules/system/userdomain.if 2011-03-20 21:07:58.120630001 +0000
@@ -30,8 +30,9 @@
')
@@ -50590,7 +50618,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
tunable_policy(`user_ttyfile_stat',`
-@@ -574,67 +648,110 @@
+@@ -574,67 +648,116 @@
')
optional_policy(`
@@ -50600,23 +50628,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
alsa_relabel_home_files($1_t)
')
++ # cjp: needed by KDE apps
++ # bug: #682499
++ optional_policy(`
++ gnome_read_usr_config($1_usertype)
++ ')
++
optional_policy(`
# Allow graphical boot to check battery lifespan
- apm_stream_connect($1_t)
+ apm_stream_connect($1_usertype)
++ ')
++
++ optional_policy(`
++ canna_stream_connect($1_usertype)
')
optional_policy(`
- canna_stream_connect($1_t)
-+ canna_stream_connect($1_usertype)
++ chrome_role($1_r, $1_usertype)
')
optional_policy(`
- dbus_system_bus_client($1_t)
-+ chrome_role($1_r, $1_usertype)
-+ ')
-+
-+ optional_policy(`
+ dbus_system_bus_client($1_usertype)
+
+ allow $1_usertype $1_usertype:dbus send_msg;
@@ -50643,47 +50677,47 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ devicekit_dbus_chat_power($1_usertype)
+ devicekit_dbus_chat_disk($1_usertype)
+ ')
-+
-+ optional_policy(`
-+ evolution_dbus_chat($1_usertype)
-+ evolution_alarm_dbus_chat($1_usertype)
-+ ')
optional_policy(`
- bluetooth_dbus_chat($1_t)
-+ gnome_dbus_chat_gconfdefault($1_usertype)
++ evolution_dbus_chat($1_usertype)
++ evolution_alarm_dbus_chat($1_usertype)
')
optional_policy(`
- evolution_dbus_chat($1_t)
- evolution_alarm_dbus_chat($1_t)
-+ hal_dbus_chat($1_usertype)
++ gnome_dbus_chat_gconfdefault($1_usertype)
')
optional_policy(`
- cups_dbus_chat_config($1_t)
-+ modemmanager_dbus_chat($1_usertype)
++ hal_dbus_chat($1_usertype)
')
optional_policy(`
- hal_dbus_chat($1_t)
-+ networkmanager_dbus_chat($1_usertype)
-+ networkmanager_read_lib_files($1_usertype)
++ modemmanager_dbus_chat($1_usertype)
')
optional_policy(`
- networkmanager_dbus_chat($1_t)
-+ vpn_dbus_chat($1_usertype)
++ networkmanager_dbus_chat($1_usertype)
++ networkmanager_read_lib_files($1_usertype)
')
++
++ optional_policy(`
++ vpn_dbus_chat($1_usertype)
++ ')
++ ')
++
++ optional_policy(`
++ git_session_role($1_r, $1_usertype)
')
optional_policy(`
- inetd_use_fds($1_t)
- inetd_rw_tcp_sockets($1_t)
-+ git_session_role($1_r, $1_usertype)
-+ ')
-+
-+ optional_policy(`
+ inetd_use_fds($1_usertype)
+ inetd_rw_tcp_sockets($1_usertype)
')
@@ -50719,7 +50753,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
optional_policy(`
-@@ -650,41 +767,50 @@
+@@ -650,41 +773,50 @@
optional_policy(`
# to allow monitoring of pcmcia status
@@ -50746,33 +50780,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
optional_policy(`
- resmgr_stream_connect($1_t)
+ resmgr_stream_connect($1_usertype)
++ ')
++
++ optional_policy(`
++ rpc_dontaudit_getattr_exports($1_usertype)
++ rpc_manage_nfs_rw_content($1_usertype)
')
optional_policy(`
- rpc_dontaudit_getattr_exports($1_t)
- rpc_manage_nfs_rw_content($1_t)
-+ rpc_dontaudit_getattr_exports($1_usertype)
-+ rpc_manage_nfs_rw_content($1_usertype)
++ rpcbind_stream_connect($1_usertype)
')
optional_policy(`
- samba_stream_connect_winbind($1_t)
-+ rpcbind_stream_connect($1_usertype)
++ samba_stream_connect_winbind($1_usertype)
')
optional_policy(`
- slrnpull_search_spool($1_t)
-+ samba_stream_connect_winbind($1_usertype)
++ sandbox_transition($1_usertype, $1_r)
')
optional_policy(`
- usernetctl_run($1_t,$1_r)
-+ sandbox_transition($1_usertype, $1_r)
- ')
-+
-+ optional_policy(`
+ seunshare_role_template($1, $1_r, $1_t)
-+ ')
+ ')
+
+ optional_policy(`
+ slrnpull_search_spool($1_usertype)
@@ -50781,23 +50815,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -712,13 +838,26 @@
+@@ -712,13 +844,26 @@
userdom_base_user_template($1)
- userdom_manage_home_role($1_r, $1_t)
+ userdom_manage_home_role($1_r, $1_usertype)
-+
-+ userdom_manage_tmp_role($1_r, $1_usertype)
-+ userdom_manage_tmpfs_role($1_r, $1_usertype)
- userdom_manage_tmp_role($1_r, $1_t)
- userdom_manage_tmpfs_role($1_r, $1_t)
-+ ifelse(`$1',`unconfined',`',`
-+ gen_tunable(allow_$1_exec_content, true)
++ userdom_manage_tmp_role($1_r, $1_usertype)
++ userdom_manage_tmpfs_role($1_r, $1_usertype)
- userdom_exec_user_tmp_files($1_t)
- userdom_exec_user_home_content_files($1_t)
++ ifelse(`$1',`unconfined',`',`
++ gen_tunable(allow_$1_exec_content, true)
++
+ tunable_policy(`allow_$1_exec_content',`
+ userdom_exec_user_tmp_files($1_usertype)
+ userdom_exec_user_home_content_files($1_usertype)
@@ -50813,7 +50847,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
userdom_change_password_template($1)
-@@ -736,72 +875,71 @@
+@@ -736,72 +881,71 @@
allow $1_t self:context contains;
@@ -50880,10 +50914,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
- miscfiles_exec_tetex_data($1_t)
+ miscfiles_read_tetex_data($1_usertype)
+ miscfiles_exec_tetex_data($1_usertype)
-+
-+ seutil_read_config($1_usertype)
- seutil_read_config($1_t)
++ seutil_read_config($1_usertype)
++
+ optional_policy(`
+ cups_read_config($1_usertype)
+ cups_stream_connect($1_usertype)
@@ -50922,7 +50956,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -833,6 +971,9 @@
+@@ -833,6 +977,9 @@
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -50932,7 +50966,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##############################
#
# Local policy
-@@ -874,45 +1015,107 @@
+@@ -874,45 +1021,107 @@
#
auth_role($1_r, $1_t)
@@ -50997,24 +51031,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ abrt_dbus_chat($1_usertype)
+ abrt_run_helper($1_usertype, $1_r)
+ ')
-
- optional_policy(`
-- consolekit_dbus_chat($1_t)
++
++ optional_policy(`
+ consolekit_dontaudit_read_log($1_usertype)
+ consolekit_dbus_chat($1_usertype)
- ')
++ ')
optional_policy(`
-- cups_dbus_chat($1_t)
+- consolekit_dbus_chat($1_t)
+ cups_dbus_chat($1_usertype)
+ cups_dbus_chat_config($1_usertype)
')
-+
-+ optional_policy(`
+
+ optional_policy(`
+- cups_dbus_chat($1_t)
+ devicekit_dbus_chat($1_usertype)
+ devicekit_dbus_chat_disk($1_usertype)
+ devicekit_dbus_chat_power($1_usertype)
-+ ')
+ ')
+
+ optional_policy(`
+ fprintd_dbus_chat($1_t)
@@ -51027,14 +51061,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+
+ optional_policy(`
+ policykit_role($1_r, $1_usertype)
++ ')
++
++ optional_policy(`
++ pulseaudio_role($1_r, $1_usertype)
')
optional_policy(`
- java_role($1_r, $1_t)
-+ pulseaudio_role($1_r, $1_usertype)
-+ ')
-+
-+ optional_policy(`
+ rtkit_scheduled($1_usertype)
')
@@ -51051,7 +51085,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -947,7 +1150,7 @@
+@@ -947,7 +1156,7 @@
#
# Inherit rules for ordinary users.
@@ -51060,7 +51094,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
userdom_common_user_template($1)
##############################
-@@ -956,54 +1159,77 @@
+@@ -956,54 +1165,77 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -51168,7 +51202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -1039,7 +1265,7 @@
+@@ -1039,7 +1271,7 @@
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -51177,7 +51211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
##############################
-@@ -1074,6 +1300,9 @@
+@@ -1074,6 +1306,9 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -51187,7 +51221,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1088,6 +1317,7 @@
+@@ -1088,6 +1323,7 @@
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -51195,7 +51229,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1105,6 +1335,9 @@
+@@ -1105,6 +1341,9 @@
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -51205,7 +51239,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
domain_setpriority_all_domains($1_t)
domain_read_all_domains_state($1_t)
-@@ -1119,15 +1352,19 @@
+@@ -1119,15 +1358,19 @@
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -51225,7 +51259,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
term_use_all_terms($1_t)
-@@ -1142,6 +1379,7 @@
+@@ -1142,6 +1385,7 @@
logging_send_syslog_msg($1_t)
modutils_domtrans_insmod($1_t)
@@ -51233,7 +51267,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1210,6 +1448,8 @@
+@@ -1210,6 +1454,8 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -51242,7 +51276,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1237,6 +1477,7 @@
+@@ -1237,6 +1483,7 @@
seutil_run_checkpolicy($1,$2)
seutil_run_loadpolicy($1,$2)
seutil_run_semanage($1,$2)
@@ -51250,7 +51284,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
seutil_run_setfiles($1, $2)
optional_policy(`
-@@ -1275,12 +1516,15 @@
+@@ -1275,12 +1522,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -51267,7 +51301,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1391,6 +1635,7 @@
+@@ -1391,6 +1641,7 @@
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -51275,7 +51309,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
files_search_home($1)
')
-@@ -1437,6 +1682,14 @@
+@@ -1437,6 +1688,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -51290,7 +51324,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1452,9 +1705,11 @@
+@@ -1452,9 +1711,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -51302,7 +51336,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1511,6 +1766,42 @@
+@@ -1511,6 +1772,42 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -51345,7 +51379,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1585,6 +1876,8 @@
+@@ -1585,6 +1882,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -51354,7 +51388,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1599,10 +1892,12 @@
+@@ -1599,10 +1898,12 @@
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -51369,7 +51403,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1645,34 +1940,53 @@
+@@ -1645,30 +1946,49 @@
########################################
## <summary>
@@ -51405,10 +51439,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## <summary>
-## Domain allowed access.
+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`userdom_mmap_user_home_content_files',`
++## </summary>
++## </param>
++#
+interface(`userdom_dontaudit_setattr_user_home_content_files',`
+ gen_require(`
+ type user_home_t;
@@ -51424,14 +51457,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+## <param name="domain">
+## <summary>
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`userdom_mmap_user_home_content_files',`
- gen_require(`
- type user_home_dir_t, user_home_t;
- ')
-@@ -1696,12 +2010,32 @@
+ ## </summary>
+ ## </param>
+ #
+@@ -1696,12 +2016,32 @@
type user_home_dir_t, user_home_t;
')
@@ -51464,7 +51493,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1712,11 +2046,14 @@
+@@ -1712,11 +2052,14 @@
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -51482,7 +51511,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1806,8 +2143,7 @@
+@@ -1806,8 +2149,7 @@
type user_home_dir_t, user_home_t;
')
@@ -51492,7 +51521,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1823,20 +2159,14 @@
+@@ -1823,20 +2165,14 @@
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -51517,7 +51546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
########################################
## <summary>
-@@ -2178,7 +2508,7 @@
+@@ -2178,7 +2514,7 @@
type user_tmp_t;
')
@@ -51526,7 +51555,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2431,13 +2761,14 @@
+@@ -2431,13 +2767,14 @@
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -51542,7 +51571,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## </summary>
## <param name="domain">
## <summary>
-@@ -2458,26 +2789,6 @@
+@@ -2458,26 +2795,6 @@
########################################
## <summary>
@@ -51569,7 +51598,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Get the attributes of a user domain tty.
## </summary>
## <param name="domain">
-@@ -2811,7 +3122,7 @@
+@@ -2811,7 +3128,7 @@
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -51578,7 +51607,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2827,11 +3138,13 @@
+@@ -2827,11 +3144,13 @@
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -51594,7 +51623,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2913,7 +3226,7 @@
+@@ -2913,7 +3232,7 @@
type user_devpts_t;
')
@@ -51603,7 +51632,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2968,7 +3281,45 @@
+@@ -2968,7 +3287,45 @@
type user_tmp_t;
')
@@ -51650,7 +51679,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3005,6 +3356,7 @@
+@@ -3005,6 +3362,7 @@
')
read_files_pattern($1, userdomain, userdomain)
@@ -51658,7 +51687,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_search_proc($1)
')
-@@ -3135,3 +3487,855 @@
+@@ -3135,3 +3493,855 @@
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b35267e..53ab0bd 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.7
-Release: 35%{?dist}
+Release: 36%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -472,6 +472,9 @@ exit 0
%endif
%changelog
+* Sun Mar 20 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.7-36
+- xdm needs to read KDE config files
+
* Fri Mar 18 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.7-35
- Additional fixes for gnomeclock policy
More information about the scm-commits
mailing list