- Add back transition from xguest to mozilla
This commit is contained in:
parent
ab3e55d79a
commit
0554a10b80
@ -57,13 +57,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
|
|||||||
+system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
|
+system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.6.3/config/appconfig-mcs/seusers
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.6.3/config/appconfig-mcs/seusers
|
||||||
--- nsaserefpolicy/config/appconfig-mcs/seusers 2008-08-07 11:15:14.000000000 -0400
|
--- nsaserefpolicy/config/appconfig-mcs/seusers 2008-08-07 11:15:14.000000000 -0400
|
||||||
+++ serefpolicy-3.6.3/config/appconfig-mcs/seusers 2009-01-19 13:10:02.000000000 -0500
|
+++ serefpolicy-3.6.3/config/appconfig-mcs/seusers 2009-01-30 10:44:12.000000000 -0500
|
||||||
@@ -1,3 +1,3 @@
|
@@ -1,3 +1,3 @@
|
||||||
system_u:system_u:s0-mcs_systemhigh
|
system_u:system_u:s0-mcs_systemhigh
|
||||||
-root:root:s0-mcs_systemhigh
|
-root:root:s0-mcs_systemhigh
|
||||||
-__default__:user_u:s0
|
-__default__:user_u:s0
|
||||||
+root:unconfined_u:s0-mcs_systemhigh
|
+root:unconfined_u:s0-mcs_systemhigh
|
||||||
+__default__:unconfined_u:s0
|
+__default__:unconfined_u:s0-mcs_systemhigh
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts serefpolicy-3.6.3/config/appconfig-mcs/staff_u_default_contexts
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts serefpolicy-3.6.3/config/appconfig-mcs/staff_u_default_contexts
|
||||||
--- nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts 2008-11-11 16:13:50.000000000 -0500
|
--- nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts 2008-11-11 16:13:50.000000000 -0500
|
||||||
+++ serefpolicy-3.6.3/config/appconfig-mcs/staff_u_default_contexts 2009-01-19 13:10:02.000000000 -0500
|
+++ serefpolicy-3.6.3/config/appconfig-mcs/staff_u_default_contexts 2009-01-19 13:10:02.000000000 -0500
|
||||||
@ -359,6 +359,40 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+gen_tunable(allow_console_login,false)
|
+gen_tunable(allow_console_login,false)
|
||||||
+
|
+
|
||||||
+
|
+
|
||||||
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.3/policy/mcs
|
||||||
|
--- nsaserefpolicy/policy/mcs 2008-08-07 11:15:13.000000000 -0400
|
||||||
|
+++ serefpolicy-3.6.3/policy/mcs 2009-01-30 10:40:41.000000000 -0500
|
||||||
|
@@ -67,7 +67,7 @@
|
||||||
|
# Note that getattr on files is always permitted.
|
||||||
|
#
|
||||||
|
mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
|
||||||
|
- ( h1 dom h2 );
|
||||||
|
+ (( h1 dom h2 ) or ( t1 == mlsfilewrite ));
|
||||||
|
|
||||||
|
mlsconstrain dir { create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }
|
||||||
|
(( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ));
|
||||||
|
@@ -75,7 +75,7 @@
|
||||||
|
# New filesystem object labels must be dominated by the relabeling subject
|
||||||
|
# clearance, also the objects are single-level.
|
||||||
|
mlsconstrain file { create relabelto }
|
||||||
|
- (( h1 dom h2 ) and ( l2 eq h2 ));
|
||||||
|
+ ((( h1 dom h2 ) and ( l2 eq h2 )) or ( t1 == mlsfilewrite ));
|
||||||
|
|
||||||
|
# At this time we do not restrict "ps" type operations via MCS. This
|
||||||
|
# will probably change in future.
|
||||||
|
@@ -84,10 +84,10 @@
|
||||||
|
|
||||||
|
# new file labels must be dominated by the relabeling subject clearance
|
||||||
|
mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
|
||||||
|
- ( h1 dom h2 );
|
||||||
|
+ (( h1 dom h2 ) or ( t1 == mlsfilewrite ));
|
||||||
|
|
||||||
|
mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
|
||||||
|
- (( h1 dom h2 ) and ( l2 eq h2 ));
|
||||||
|
+ ((( h1 dom h2 ) and ( l2 eq h2 )) or ( t1 == mlsfilewrite ));
|
||||||
|
|
||||||
|
mlsconstrain process { transition dyntransition }
|
||||||
|
(( h1 dom h2 ) or ( t1 == mcssetcats ));
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.6.3/policy/modules/admin/anaconda.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.6.3/policy/modules/admin/anaconda.te
|
||||||
--- nsaserefpolicy/policy/modules/admin/anaconda.te 2009-01-05 15:39:44.000000000 -0500
|
--- nsaserefpolicy/policy/modules/admin/anaconda.te 2009-01-05 15:39:44.000000000 -0500
|
||||||
+++ serefpolicy-3.6.3/policy/modules/admin/anaconda.te 2009-01-19 13:10:02.000000000 -0500
|
+++ serefpolicy-3.6.3/policy/modules/admin/anaconda.te 2009-01-19 13:10:02.000000000 -0500
|
||||||
@ -6646,8 +6680,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.6.3/policy/modules/roles/guest.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.6.3/policy/modules/roles/guest.te
|
||||||
--- nsaserefpolicy/policy/modules/roles/guest.te 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/roles/guest.te 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.6.3/policy/modules/roles/guest.te 2009-01-19 13:10:02.000000000 -0500
|
+++ serefpolicy-3.6.3/policy/modules/roles/guest.te 2009-01-30 11:41:43.000000000 -0500
|
||||||
@@ -0,0 +1,36 @@
|
@@ -0,0 +1,26 @@
|
||||||
+
|
+
|
||||||
+policy_module(guest, 1.0.0)
|
+policy_module(guest, 1.0.0)
|
||||||
+
|
+
|
||||||
@ -6673,16 +6707,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+ mono_role_template(guest, guest_r, guest_t)
|
+ mono_role_template(guest, guest_r, guest_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+
|
|
||||||
+optional_policy(`
|
|
||||||
+ gen_require(`
|
|
||||||
+ type xguest_t;
|
|
||||||
+ role xguest_r;
|
|
||||||
+ ')
|
|
||||||
+
|
|
||||||
+ mozilla_role(xguest, xguest_t, xguest_r)
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
+gen_user(guest_u, user, guest_r, s0, s0)
|
+gen_user(guest_u, user, guest_r, s0, s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.fc serefpolicy-3.6.3/policy/modules/roles/logadm.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.fc serefpolicy-3.6.3/policy/modules/roles/logadm.fc
|
||||||
--- nsaserefpolicy/policy/modules/roles/logadm.fc 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/roles/logadm.fc 1969-12-31 19:00:00.000000000 -0500
|
||||||
@ -7776,7 +7800,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.3/policy/modules/roles/xguest.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.3/policy/modules/roles/xguest.te
|
||||||
--- nsaserefpolicy/policy/modules/roles/xguest.te 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/roles/xguest.te 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.6.3/policy/modules/roles/xguest.te 2009-01-19 13:10:02.000000000 -0500
|
+++ serefpolicy-3.6.3/policy/modules/roles/xguest.te 2009-01-30 10:50:34.000000000 -0500
|
||||||
@@ -0,0 +1,87 @@
|
@@ -0,0 +1,87 @@
|
||||||
+
|
+
|
||||||
+policy_module(xguest, 1.0.0)
|
+policy_module(xguest, 1.0.0)
|
||||||
@ -7816,9 +7840,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+# Local policy
|
+# Local policy
|
||||||
+#
|
+#
|
||||||
+
|
+
|
||||||
+#optional_policy(`
|
+optional_policy(`
|
||||||
+# mozilla_role(xguest_r, xguest_t)
|
+ mozilla_role(xguest_r, xguest_t)
|
||||||
+#')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ java_role_template(xguest, xguest_r, xguest_t)
|
+ java_role_template(xguest, xguest_r, xguest_t)
|
||||||
@ -27846,8 +27870,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.3/policy/modules/system/unconfined.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.3/policy/modules/system/unconfined.te
|
||||||
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-11-11 16:13:48.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-11-11 16:13:48.000000000 -0500
|
||||||
+++ serefpolicy-3.6.3/policy/modules/system/unconfined.te 2009-01-19 13:10:02.000000000 -0500
|
+++ serefpolicy-3.6.3/policy/modules/system/unconfined.te 2009-01-30 10:55:24.000000000 -0500
|
||||||
@@ -6,35 +6,76 @@
|
@@ -6,35 +6,77 @@
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -27925,13 +27949,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
mcs_killall(unconfined_t)
|
mcs_killall(unconfined_t)
|
||||||
mcs_ptrace_all(unconfined_t)
|
mcs_ptrace_all(unconfined_t)
|
||||||
|
+mls_file_write_all_levels(unconfined_t)
|
||||||
|
|
||||||
init_run_daemon(unconfined_t, unconfined_r)
|
init_run_daemon(unconfined_t, unconfined_r)
|
||||||
+init_domtrans_script(unconfined_t)
|
+init_domtrans_script(unconfined_t)
|
||||||
|
|
||||||
libs_run_ldconfig(unconfined_t, unconfined_r)
|
libs_run_ldconfig(unconfined_t, unconfined_r)
|
||||||
|
|
||||||
@@ -42,26 +83,39 @@
|
@@ -42,26 +84,39 @@
|
||||||
logging_run_auditctl(unconfined_t, unconfined_r)
|
logging_run_auditctl(unconfined_t, unconfined_r)
|
||||||
|
|
||||||
mount_run_unconfined(unconfined_t, unconfined_r)
|
mount_run_unconfined(unconfined_t, unconfined_r)
|
||||||
@ -27973,7 +27998,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -102,12 +156,24 @@
|
@@ -102,12 +157,24 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -27998,7 +28023,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -119,31 +185,33 @@
|
@@ -119,31 +186,33 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -28039,7 +28064,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -155,36 +223,38 @@
|
@@ -155,36 +224,38 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -28090,7 +28115,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -192,7 +262,7 @@
|
@@ -192,7 +263,7 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -28099,7 +28124,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -204,11 +274,12 @@
|
@@ -204,11 +275,12 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -28114,7 +28139,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -218,14 +289,60 @@
|
@@ -218,14 +290,60 @@
|
||||||
|
|
||||||
allow unconfined_execmem_t self:process { execstack execmem };
|
allow unconfined_execmem_t self:process { execstack execmem };
|
||||||
unconfined_domain_noaudit(unconfined_execmem_t)
|
unconfined_domain_noaudit(unconfined_execmem_t)
|
||||||
|
@ -20,7 +20,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.6.3
|
Version: 3.6.3
|
||||||
Release: 11%{?dist}
|
Release: 12%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -444,6 +444,9 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Jan 30 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-12
|
||||||
|
- Add back transition from xguest to mozilla
|
||||||
|
|
||||||
* Fri Jan 30 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-11
|
* Fri Jan 30 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-11
|
||||||
- Add virt_content_ro_t and labeling for isos directory
|
- Add virt_content_ro_t and labeling for isos directory
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user