rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Add back in unconfined.pp and unconfineduser.pp

Browse Source
This commit is contained in:
Daniel J Walsh 2009-08-26 14:02:27 +00:00
parent 89e3546337
commit 07c04f81b6
2 changed files with 15 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
policy-F12.patch
View File

@ -692,10 +692,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_search_auto_mountpoints(readahead_t) fs_search_auto_mountpoints(readahead_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.28/policy/modules/admin/rpm.fc diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.28/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2009-07-14 14:19:57.000000000 -0400 --- nsaserefpolicy/policy/modules/admin/rpm.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.28/policy/modules/admin/rpm.fc 2009-08-21 18:56:06.000000000 -0400 +++ serefpolicy-3.6.28/policy/modules/admin/rpm.fc 2009-08-26 08:40:46.000000000 -0400
@@ -1,17 +1,16 @@ @@ -1,17 +1,17 @@
/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) /bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/debuginfo-install -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/debuginfo-install -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
@ -715,7 +716,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/share/yumex/yumex -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/share/yumex/yumex -- gen_context(system_u:object_r:rpm_exec_t,s0)
ifdef(`distro_redhat', ` ifdef(`distro_redhat', `
@@ -21,15 +20,22 @@ @@ -21,15 +21,22 @@
/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
@ -7084,8 +7085,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ +
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.28/policy/modules/roles/unconfineduser.fc diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.28/policy/modules/roles/unconfineduser.fc
--- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 1969-12-31 19:00:00.000000000 -0500 --- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.28/policy/modules/roles/unconfineduser.fc 2009-08-21 18:56:07.000000000 -0400 +++ serefpolicy-3.6.28/policy/modules/roles/unconfineduser.fc 2009-08-26 08:51:41.000000000 -0400
@@ -0,0 +1,37 @@ @@ -0,0 +1,36 @@
+# Add programs here which should not be confined by SELinux +# Add programs here which should not be confined by SELinux
+# e.g.: +# e.g.:
+# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) +# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
@ -7122,7 +7123,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib(64)?/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/lib(64)?/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
+ +
+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) +/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.6.28/policy/modules/roles/unconfineduser.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.6.28/policy/modules/roles/unconfineduser.if
--- nsaserefpolicy/policy/modules/roles/unconfineduser.if 1969-12-31 19:00:00.000000000 -0500 --- nsaserefpolicy/policy/modules/roles/unconfineduser.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.28/policy/modules/roles/unconfineduser.if 2009-08-21 18:56:07.000000000 -0400 +++ serefpolicy-3.6.28/policy/modules/roles/unconfineduser.if 2009-08-21 18:56:07.000000000 -0400

50
selinux-policy.spec
View File

@ -20,7 +20,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.6.28 Version: 3.6.28
Release: 7%{?dist} Release: 8%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -97,7 +97,7 @@ cp -f $RPM_SOURCE_DIR/modules-%1.conf ./policy/modules.conf \
cp -f $RPM_SOURCE_DIR/booleans-%1.conf ./policy/booleans.conf \ cp -f $RPM_SOURCE_DIR/booleans-%1.conf ./policy/booleans.conf \
%define moduleList() %([ -f %{_sourcedir}/modules-%{1}.conf ] && \ %define moduleList() %([ -f %{_sourcedir}/modules-%{1}.conf ] && \
awk '$1 !~ "/^#/" && $1 != "unconfined" && $1 != "unconfineduser" && $2 == "=" && $3 == "module" { printf "%%s.pp.bz2 ", $1 }' %{_sourcedir}/modules-%{1}.conf ) awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp.bz2 ", $1 }' %{_sourcedir}/modules-%{1}.conf )
%define installCmds() \ %define installCmds() \
make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 base.pp \ make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 base.pp \
@ -310,46 +310,13 @@ SELinux Reference policy targeted base module.
%saveFileContext targeted %saveFileContext targeted
%post targeted %post targeted
function get_unconfined() {
# We only want to upgrade unconfined.pp and unconfineduser if they are
# currently installed. If you have a version 3.0.0 or less of unconfined
# installed, you will need to install both, since unconfineduser did not exist
# prior to this.
eval `semodule -l | while read package version; do
case $package in
"unconfineduser")
echo "unconfineduser=$version"
;;
"unconfined")
echo "unconfined=$version"
;;
esac
done`
if [ -z "$unconfineduser" -a -n "$unconfined" ]; then
f1=`echo $unconfined | cut -d. -f 1`
if [ $f1 -lt 3 ]; then
unconfineduser="1"
else
if [ $f1 -eq 3 ]; then
f2=`echo $unconfined | cut -s -d. -f2`
f3=`echo $unconfined | cut -s -d. -f3`
if [ \( -z "$f2" \) -o \( \( "$f2" -eq 0 \) -a \( -z "f3" -o "$f3" -eq 0 \) \) ]; then
unconfineduser="1"
fi
fi
fi
fi
echo ${unconfined:+unconfined.pp.bz2} ${unconfineduser:+unconfineduser.pp.bz2}
}
if [ $1 -eq 1 ]; then if [ $1 -eq 1 ]; then
packages="%{expand:%%moduleList targeted} unconfined.pp.bz2 unconfineduser.pp.bz2" packages="%{expand:%%moduleList targeted}"
%loadpolicy targeted $packages %loadpolicy targeted $packages
restorecon -R /root /var/log /var/run 2> /dev/null restorecon -R /root /var/log /var/run 2> /dev/null
else else
semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid -r polkit 2>/dev/null semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid -r polkit 2>/dev/null
packages="%{expand:%%moduleList targeted} `get_unconfined`" packages="%{expand:%%moduleList targeted}"
%loadpolicy targeted $packages %loadpolicy targeted $packages
%relabel targeted %relabel targeted
fi fi
@ -394,8 +361,7 @@ SELinux Reference policy minimum base module.
%saveFileContext minimum %saveFileContext minimum
%post minimum %post minimum
packages="unconfined.pp.bz2 unconfineduser.pp.bz2" %loadpolicy minimum
%loadpolicy minimum $packages
if [ $1 -eq 1 ]; then if [ $1 -eq 1 ]; then
semanage -S minimum -i - << __eof semanage -S minimum -i - << __eof
login -m -s unconfined_u -r s0-s0:c0.c1023 __default__ login -m -s unconfined_u -r s0-s0:c0.c1023 __default__
@ -428,7 +394,7 @@ SELinux Reference policy olpc base module.
%saveFileContext olpc %saveFileContext olpc
%post olpc %post olpc
packages="%{expand:%%moduleList olpc} unconfined.pp.bz2 unconfineduser.pp.bz2" packages="%{expand:%%moduleList olpc}"
%loadpolicy olpc $packages %loadpolicy olpc $packages
if [ $1 -ne 1 ]; then if [ $1 -ne 1 ]; then
@ -475,6 +441,9 @@ exit 0
%endif %endif
%changelog %changelog
* Wed Aug 26 2009 Dan Walsh <dwalsh@redhat.com> 3.6.28-8
- Add back in unconfined.pp and unconfineduser.pp
* Tue Aug 25 2009 Dan Walsh <dwalsh@redhat.com> 3.6.28-7 * Tue Aug 25 2009 Dan Walsh <dwalsh@redhat.com> 3.6.28-7
- Fixes for cdrecord, mdadm, and others - Fixes for cdrecord, mdadm, and others
@ -1364,7 +1333,6 @@ directory)
- Fix Makefile.devel to build mls modules - Fix Makefile.devel to build mls modules
- Fix qemu to be more specific on labeling - Fix qemu to be more specific on labeling
* Tue Feb 26 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-1 * Tue Feb 26 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-1
- Update to upstream fixes - Update to upstream fixes