- Add back transition from xguest to mozilla
This commit is contained in:
Daniel J Walsh
parent
ab3e55d79a
commit
0554a10b80
@ -57,13 +57,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
|
||||
+system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.6.3/config/appconfig-mcs/seusers
|
||||
--- nsaserefpolicy/config/appconfig-mcs/seusers 2008-08-07 11:15:14.000000000 -0400
|
||||
+++ serefpolicy-3.6.3/config/appconfig-mcs/seusers 2009-01-19 13:10:02.000000000 -0500
|
||||
+++ serefpolicy-3.6.3/config/appconfig-mcs/seusers 2009-01-30 10:44:12.000000000 -0500
|
||||
@@ -1,3 +1,3 @@
|
||||
system_u:system_u:s0-mcs_systemhigh
|
||||
-root:root:s0-mcs_systemhigh
|
||||
-__default__:user_u:s0
|
||||
+root:unconfined_u:s0-mcs_systemhigh
|
||||
+__default__:unconfined_u:s0
|
||||
+__default__:unconfined_u:s0-mcs_systemhigh
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts serefpolicy-3.6.3/config/appconfig-mcs/staff_u_default_contexts
|
||||
--- nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts 2008-11-11 16:13:50.000000000 -0500
|
||||
+++ serefpolicy-3.6.3/config/appconfig-mcs/staff_u_default_contexts 2009-01-19 13:10:02.000000000 -0500
|
||||
@ -359,6 +359,40 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+gen_tunable(allow_console_login,false)
|
||||
+
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.3/policy/mcs
|
||||
--- nsaserefpolicy/policy/mcs 2008-08-07 11:15:13.000000000 -0400
|
||||
+++ serefpolicy-3.6.3/policy/mcs 2009-01-30 10:40:41.000000000 -0500
|
||||
@@ -67,7 +67,7 @@
|
||||
# Note that getattr on files is always permitted.
|
||||
#
|
||||
mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
|
||||
- ( h1 dom h2 );
|
||||
+ (( h1 dom h2 ) or ( t1 == mlsfilewrite ));
|
||||
|
||||
mlsconstrain dir { create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }
|
||||
(( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ));
|
||||
@@ -75,7 +75,7 @@
|
||||
# New filesystem object labels must be dominated by the relabeling subject
|
||||
# clearance, also the objects are single-level.
|
||||
mlsconstrain file { create relabelto }
|
||||
- (( h1 dom h2 ) and ( l2 eq h2 ));
|
||||
+ ((( h1 dom h2 ) and ( l2 eq h2 )) or ( t1 == mlsfilewrite ));
|
||||
|
||||
# At this time we do not restrict "ps" type operations via MCS. This
|
||||
# will probably change in future.
|
||||
@@ -84,10 +84,10 @@
|
||||
|
||||
# new file labels must be dominated by the relabeling subject clearance
|
||||
mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
|
||||
- ( h1 dom h2 );
|
||||
+ (( h1 dom h2 ) or ( t1 == mlsfilewrite ));
|
||||
|
||||
mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
|
||||
- (( h1 dom h2 ) and ( l2 eq h2 ));
|
||||
+ ((( h1 dom h2 ) and ( l2 eq h2 )) or ( t1 == mlsfilewrite ));
|
||||
|
||||
mlsconstrain process { transition dyntransition }
|
||||
(( h1 dom h2 ) or ( t1 == mcssetcats ));
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.6.3/policy/modules/admin/anaconda.te
|
||||
--- nsaserefpolicy/policy/modules/admin/anaconda.te 2009-01-05 15:39:44.000000000 -0500
|
||||
+++ serefpolicy-3.6.3/policy/modules/admin/anaconda.te 2009-01-19 13:10:02.000000000 -0500
|
||||
@ -6646,8 +6680,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.6.3/policy/modules/roles/guest.te
|
||||
--- nsaserefpolicy/policy/modules/roles/guest.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.3/policy/modules/roles/guest.te 2009-01-19 13:10:02.000000000 -0500
|
||||
@@ -0,0 +1,36 @@
|
||||
+++ serefpolicy-3.6.3/policy/modules/roles/guest.te 2009-01-30 11:41:43.000000000 -0500
|
||||
@@ -0,0 +1,26 @@
|
||||
+
|
||||
+policy_module(guest, 1.0.0)
|
||||
+
|
||||
@ -6673,16 +6707,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ mono_role_template(guest, guest_r, guest_t)
|
||||
+')
|
||||
+
|
||||
+
|
||||
+optional_policy(`
|
||||
+ gen_require(`
|
||||
+ type xguest_t;
|
||||
+ role xguest_r;
|
||||
+ ')
|
||||
+
|
||||
+ mozilla_role(xguest, xguest_t, xguest_r)
|
||||
+')
|
||||
+
|
||||
+gen_user(guest_u, user, guest_r, s0, s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.fc serefpolicy-3.6.3/policy/modules/roles/logadm.fc
|
||||
--- nsaserefpolicy/policy/modules/roles/logadm.fc 1969-12-31 19:00:00.000000000 -0500
|
||||
@ -7776,7 +7800,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.3/policy/modules/roles/xguest.te
|
||||
--- nsaserefpolicy/policy/modules/roles/xguest.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.3/policy/modules/roles/xguest.te 2009-01-19 13:10:02.000000000 -0500
|
||||
+++ serefpolicy-3.6.3/policy/modules/roles/xguest.te 2009-01-30 10:50:34.000000000 -0500
|
||||
@@ -0,0 +1,87 @@
|
||||
+
|
||||
+policy_module(xguest, 1.0.0)
|
||||
@ -7816,9 +7840,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+# Local policy
|
||||
+#
|
||||
+
|
||||
+#optional_policy(`
|
||||
+# mozilla_role(xguest_r, xguest_t)
|
||||
+#')
|
||||
+optional_policy(`
|
||||
+ mozilla_role(xguest_r, xguest_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ java_role_template(xguest, xguest_r, xguest_t)
|
||||
@ -27846,8 +27870,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.3/policy/modules/system/unconfined.te
|
||||
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-11-11 16:13:48.000000000 -0500
|
||||
+++ serefpolicy-3.6.3/policy/modules/system/unconfined.te 2009-01-19 13:10:02.000000000 -0500
|
||||
@@ -6,35 +6,76 @@
|
||||
+++ serefpolicy-3.6.3/policy/modules/system/unconfined.te 2009-01-30 10:55:24.000000000 -0500
|
||||
@@ -6,35 +6,77 @@
|
||||
# Declarations
|
||||
#
|
||||
|
||||
@ -27925,13 +27949,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
mcs_killall(unconfined_t)
|
||||
mcs_ptrace_all(unconfined_t)
|
||||
+mls_file_write_all_levels(unconfined_t)
|
||||
|
||||
init_run_daemon(unconfined_t, unconfined_r)
|
||||
+init_domtrans_script(unconfined_t)
|
||||
|
||||
libs_run_ldconfig(unconfined_t, unconfined_r)
|
||||
|
||||
@@ -42,26 +83,39 @@
|
||||
@@ -42,26 +84,39 @@
|
||||
logging_run_auditctl(unconfined_t, unconfined_r)
|
||||
|
||||
mount_run_unconfined(unconfined_t, unconfined_r)
|
||||
@ -27973,7 +27998,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -102,12 +156,24 @@
|
||||
@@ -102,12 +157,24 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -27998,7 +28023,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -119,31 +185,33 @@
|
||||
@@ -119,31 +186,33 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -28039,7 +28064,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -155,36 +223,38 @@
|
||||
@@ -155,36 +224,38 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -28090,7 +28115,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -192,7 +262,7 @@
|
||||
@@ -192,7 +263,7 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -28099,7 +28124,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -204,11 +274,12 @@
|
||||
@@ -204,11 +275,12 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -28114,7 +28139,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -218,14 +289,60 @@
|
||||
@@ -218,14 +290,60 @@
|
||||
|
||||
allow unconfined_execmem_t self:process { execstack execmem };
|
||||
unconfined_domain_noaudit(unconfined_execmem_t)
|
||||
|
||||
@ -20,7 +20,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.6.3
|
||||
Release: 11%{?dist}
|
||||
Release: 12%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -444,6 +444,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Jan 30 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-12
|
||||
- Add back transition from xguest to mozilla
|
||||
|
||||
* Fri Jan 30 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-11
|
||||
- Add virt_content_ro_t and labeling for isos directory
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user