- Add back in unconfined.pp and unconfineduser.pp
This commit is contained in:
Daniel J Walsh
parent
89e3546337
commit
07c04f81b6
@ -692,10 +692,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
fs_search_auto_mountpoints(readahead_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.28/policy/modules/admin/rpm.fc
|
||||
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2009-07-14 14:19:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.28/policy/modules/admin/rpm.fc 2009-08-21 18:56:06.000000000 -0400
|
||||
@@ -1,17 +1,16 @@
|
||||
+++ serefpolicy-3.6.28/policy/modules/admin/rpm.fc 2009-08-26 08:40:46.000000000 -0400
|
||||
@@ -1,17 +1,17 @@
|
||||
|
||||
/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||
+/usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||
+/usr/bin/debuginfo-install -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||
/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||
|
||||
@ -715,7 +716,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/usr/share/yumex/yumex -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
@@ -21,15 +20,22 @@
|
||||
@@ -21,15 +21,22 @@
|
||||
/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||
/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||
@ -7084,8 +7085,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.28/policy/modules/roles/unconfineduser.fc
|
||||
--- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.28/policy/modules/roles/unconfineduser.fc 2009-08-21 18:56:07.000000000 -0400
|
||||
@@ -0,0 +1,37 @@
|
||||
+++ serefpolicy-3.6.28/policy/modules/roles/unconfineduser.fc 2009-08-26 08:51:41.000000000 -0400
|
||||
@@ -0,0 +1,36 @@
|
||||
+# Add programs here which should not be confined by SELinux
|
||||
+# e.g.:
|
||||
+# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
|
||||
@ -7122,7 +7123,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/usr/lib(64)?/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
||||
+
|
||||
+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.6.28/policy/modules/roles/unconfineduser.if
|
||||
--- nsaserefpolicy/policy/modules/roles/unconfineduser.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.28/policy/modules/roles/unconfineduser.if 2009-08-21 18:56:07.000000000 -0400
|
||||
|
||||
@ -20,7 +20,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.6.28
|
||||
Release: 7%{?dist}
|
||||
Release: 8%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -97,7 +97,7 @@ cp -f $RPM_SOURCE_DIR/modules-%1.conf ./policy/modules.conf \
|
||||
cp -f $RPM_SOURCE_DIR/booleans-%1.conf ./policy/booleans.conf \
|
||||
|
||||
%define moduleList() %([ -f %{_sourcedir}/modules-%{1}.conf ] && \
|
||||
awk '$1 !~ "/^#/" && $1 != "unconfined" && $1 != "unconfineduser" && $2 == "=" && $3 == "module" { printf "%%s.pp.bz2 ", $1 }' %{_sourcedir}/modules-%{1}.conf )
|
||||
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp.bz2 ", $1 }' %{_sourcedir}/modules-%{1}.conf )
|
||||
|
||||
%define installCmds() \
|
||||
make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 base.pp \
|
||||
@ -310,46 +310,13 @@ SELinux Reference policy targeted base module.
|
||||
%saveFileContext targeted
|
||||
|
||||
%post targeted
|
||||
function get_unconfined() {
|
||||
# We only want to upgrade unconfined.pp and unconfineduser if they are
|
||||
# currently installed. If you have a version 3.0.0 or less of unconfined
|
||||
# installed, you will need to install both, since unconfineduser did not exist
|
||||
# prior to this.
|
||||
eval `semodule -l | while read package version; do
|
||||
case $package in
|
||||
"unconfineduser")
|
||||
echo "unconfineduser=$version"
|
||||
;;
|
||||
"unconfined")
|
||||
echo "unconfined=$version"
|
||||
;;
|
||||
esac
|
||||
done`
|
||||
|
||||
if [ -z "$unconfineduser" -a -n "$unconfined" ]; then
|
||||
f1=`echo $unconfined | cut -d. -f 1`
|
||||
if [ $f1 -lt 3 ]; then
|
||||
unconfineduser="1"
|
||||
else
|
||||
if [ $f1 -eq 3 ]; then
|
||||
f2=`echo $unconfined | cut -s -d. -f2`
|
||||
f3=`echo $unconfined | cut -s -d. -f3`
|
||||
if [ \( -z "$f2" \) -o \( \( "$f2" -eq 0 \) -a \( -z "f3" -o "$f3" -eq 0 \) \) ]; then
|
||||
unconfineduser="1"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
echo ${unconfined:+unconfined.pp.bz2} ${unconfineduser:+unconfineduser.pp.bz2}
|
||||
}
|
||||
|
||||
if [ $1 -eq 1 ]; then
|
||||
packages="%{expand:%%moduleList targeted} unconfined.pp.bz2 unconfineduser.pp.bz2"
|
||||
packages="%{expand:%%moduleList targeted}"
|
||||
%loadpolicy targeted $packages
|
||||
restorecon -R /root /var/log /var/run 2> /dev/null
|
||||
else
|
||||
semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid -r polkit 2>/dev/null
|
||||
packages="%{expand:%%moduleList targeted} `get_unconfined`"
|
||||
packages="%{expand:%%moduleList targeted}"
|
||||
%loadpolicy targeted $packages
|
||||
%relabel targeted
|
||||
fi
|
||||
@ -394,8 +361,7 @@ SELinux Reference policy minimum base module.
|
||||
%saveFileContext minimum
|
||||
|
||||
%post minimum
|
||||
packages="unconfined.pp.bz2 unconfineduser.pp.bz2"
|
||||
%loadpolicy minimum $packages
|
||||
%loadpolicy minimum
|
||||
if [ $1 -eq 1 ]; then
|
||||
semanage -S minimum -i - << __eof
|
||||
login -m -s unconfined_u -r s0-s0:c0.c1023 __default__
|
||||
@ -428,7 +394,7 @@ SELinux Reference policy olpc base module.
|
||||
%saveFileContext olpc
|
||||
|
||||
%post olpc
|
||||
packages="%{expand:%%moduleList olpc} unconfined.pp.bz2 unconfineduser.pp.bz2"
|
||||
packages="%{expand:%%moduleList olpc}"
|
||||
%loadpolicy olpc $packages
|
||||
|
||||
if [ $1 -ne 1 ]; then
|
||||
@ -475,6 +441,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Aug 26 2009 Dan Walsh <dwalsh@redhat.com> 3.6.28-8
|
||||
- Add back in unconfined.pp and unconfineduser.pp
|
||||
|
||||
* Tue Aug 25 2009 Dan Walsh <dwalsh@redhat.com> 3.6.28-7
|
||||
- Fixes for cdrecord, mdadm, and others
|
||||
|
||||
@ -1364,7 +1333,6 @@ directory)
|
||||
- Fix Makefile.devel to build mls modules
|
||||
- Fix qemu to be more specific on labeling
|
||||
|
||||
|
||||
* Tue Feb 26 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-1
|
||||
- Update to upstream fixes
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user