- Fix java and mono to run in xguest account

2007-09-20 22:30:51 +00:00 · 2007-09-20 22:30:51 +00:00 · 07e28d136d
parent c003dbaafb
commit 07e28d136d
2 changed files with 32 additions and 23 deletions
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@ -1439,7 +1439,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te
 application_executable_file(gconfd_exec_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.0.8/policy/modules/apps/java.fc
 --- nsaserefpolicy/policy/modules/apps/java.fc	2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/java.fc	2007-09-17 16:20:18.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/java.fc	2007-09-20 18:08:22.000000000 -0400
@@ -11,6 +11,7 @@
 #
 /usr/(.*/)?bin/java.* 	--	gen_context(system_u:object_r:java_exec_t,s0)
@ -1448,7 +1448,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc
 /usr/bin/frysk		--	gen_context(system_u:object_r:java_exec_t,s0)
 /usr/bin/gappletviewer  --	gen_context(system_u:object_r:java_exec_t,s0)
 /usr/bin/gcj-dbtool	--	gen_context(system_u:object_r:java_exec_t,s0)
-@@ -20,5 +21,9 @@
+@@ -20,5 +21,11 @@
 /usr/bin/grmic  	--	gen_context(system_u:object_r:java_exec_t,s0)
 /usr/bin/grmiregistry  	--	gen_context(system_u:object_r:java_exec_t,s0)
 /usr/bin/jv-convert  	--	gen_context(system_u:object_r:java_exec_t,s0)
@ -1458,9 +1458,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc
 +
 +/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
 +
+/usr/lib(64)?/openoffice\.org/program/soffice\.bin -- gen_context(system_u:object_r:java_exec_t,s0)
+
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.0.8/policy/modules/apps/java.if
 --- nsaserefpolicy/policy/modules/apps/java.if	2007-08-02 08:17:26.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/java.if	2007-09-20 08:56:23.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/java.if	2007-09-20 17:57:24.000000000 -0400
@@ -32,7 +32,7 @@
 ##	</summary>
 ## </param>
@ -1480,7 +1482,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if
 	allow $1_javaplugin_t $2:fd use;
 	# Unrestricted inheritance from the caller.
 	allow $2 $1_javaplugin_t:process { noatsecure siginh rlimitinh };
-@@ -166,6 +165,57 @@
+@@ -166,6 +165,60 @@
 	optional_policy(`
 		xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t)
 	')
@ -1528,17 +1530,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if
 +
 +	userdom_unpriv_usertype($1, $1_java_t)
 +
-+	allow $1_java_t self:process { execheap execmem };
+	allow $1_java_t self:process { getsched sigkill execheap execmem execstack };
 +
 +	domtrans_pattern($2, java_exec_t, $1_java_t)
 +
+	dev_read_urand($1_java_t)
+	dev_read_rand($1_java_t)
+
 +	optional_policy(`
 +		xserver_xdm_rw_shm($1_java_t)
 +	')
 ')
 
 ########################################
-@@ -219,3 +269,66 @@
+@@ -219,3 +272,66 @@
 	corecmd_search_bin($1)
 	domtrans_pattern($1, java_exec_t, java_t)
 ')
@ -6387,7 +6392,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktal
 +term_search_ptys(ktalkd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-3.0.8/policy/modules/services/lpd.if
 --- nsaserefpolicy/policy/modules/services/lpd.if	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/lpd.if	2007-09-17 16:20:18.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/lpd.if	2007-09-20 18:02:10.000000000 -0400
@@ -394,3 +394,22 @@
 
 	domtrans_pattern($2, lpr_exec_t, $1_lpr_t)
@ -13255,7 +13260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 /tmp/gconfd-USER -d	gen_context(system_u:object_r:ROLE_tmp_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-08-27 09:18:17.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if	2007-09-20 15:46:46.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if	2007-09-20 18:02:36.000000000 -0400
@@ -29,8 +29,9 @@
 	')
 
@ -13849,7 +13854,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 		samba_stream_connect_winbind($1_t)
 	')
 
-@@ -954,21 +882,163 @@
+@@ -954,21 +882,164 @@
 ##	</summary>
 ## </param>
 #
@ -13965,6 +13970,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +	userdom_poly_tmp_template($1)
 +
 +	optional_policy(`
+		cups_read_config($1_usertype)
 +		cups_stream_connect($1_usertype)
 +		cups_stream_connect_ptal($1_usertype)
 +	')
@ -14019,7 +14025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	domain_interactive_fd($1_t)
 
 	typeattribute $1_devpts_t user_ptynode;
-@@ -977,23 +1047,51 @@
+@@ -977,23 +1048,51 @@
 	typeattribute $1_tmp_t user_tmpfile;
 	typeattribute $1_tty_device_t user_ttynode;
 
@ -14082,7 +14088,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 
 	# port access is audited even if dac would not have allowed it, so dontaudit it here
 	corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
-@@ -1029,15 +1127,7 @@
+@@ -1029,15 +1128,7 @@
 	# and may change other protocols
 	tunable_policy(`user_tcp_server',`
 		corenet_tcp_bind_all_nodes($1_t)
@ -14099,7 +14105,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	')
 
 	optional_policy(`
-@@ -1054,17 +1144,6 @@
+@@ -1054,17 +1145,6 @@
 		setroubleshoot_stream_connect($1_t)
 	')
 
@ -14117,7 +14123,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 #######################################
-@@ -1102,6 +1181,8 @@
+@@ -1102,6 +1182,8 @@
 		class passwd { passwd chfn chsh rootok crontab };
 	')
 
@ -14126,7 +14132,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	##############################
 	#
 	# Declarations
-@@ -1127,7 +1208,7 @@
+@@ -1127,7 +1209,7 @@
 	# $1_t local policy
 	#
 
@ -14135,7 +14141,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	allow $1_t self:process { setexec setfscreate };
 
 	# Set password information for other users.
-@@ -1139,7 +1220,11 @@
+@@ -1139,7 +1221,11 @@
 	# Manipulate other users crontab.
 	allow $1_t self:passwd crontab;
 
@ -14148,7 +14154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 
 	kernel_read_software_raid_state($1_t)
 	kernel_getattr_core_if($1_t)
-@@ -1642,9 +1727,11 @@
+@@ -1642,9 +1728,11 @@
 template(`userdom_user_home_content',`
 	gen_require(`
 		attribute $1_file_type;
@ -14160,7 +14166,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	files_type($2)
 ')
 
-@@ -1894,10 +1981,46 @@
+@@ -1894,10 +1982,46 @@
 template(`userdom_manage_user_home_content_dirs',`
 	gen_require(`
 		type $1_home_dir_t, $1_home_t;
@ -14208,7 +14214,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -3078,7 +3201,7 @@
+@@ -3078,7 +3202,7 @@
 #
 template(`userdom_tmp_filetrans_user_tmp',`
 	gen_require(`
@ -14217,7 +14223,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	')
 
 	files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -4615,6 +4738,24 @@
+@@ -4615,6 +4739,24 @@
 	files_list_home($1)
 	allow $1 home_dir_type:dir search_dir_perms;
 ')
@ -14242,7 +14248,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 
 ########################################
 ## <summary>
-@@ -4633,6 +4774,14 @@
+@@ -4633,6 +4775,14 @@
 
 	files_list_home($1)
 	allow $1 home_dir_type:dir list_dir_perms;
@ -14257,7 +14263,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -5323,7 +5472,7 @@
+@@ -5323,7 +5473,7 @@
 		attribute user_tmpfile;
 	')
 
@ -14266,7 +14272,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -5559,3 +5708,376 @@
+@@ -5559,3 +5709,376 @@
 interface(`userdom_unconfined',`
 	refpolicywarn(`$0($*) has been deprecated.')
 ')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.8
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -362,6 +362,9 @@ exit 0
 %endif

 %changelog
+* Thu Sep 20 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-5
+- Fix java and mono to run in xguest account
+
 * Wed Sep 19 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-4
 - Fix to add xguest account when inititial install
 - Allow mono, java, wine to run in userdomains