- Fix java and mono to run in xguest account

policy-20070703.patch

@@ -1439,7 +1439,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te
  application_executable_file(gconfd_exec_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.0.8/policy/modules/apps/java.fc
 --- nsaserefpolicy/policy/modules/apps/java.fc	2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/java.fc	2007-09-17 16:20:18.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/apps/java.fc	2007-09-20 18:08:22.000000000 -0400
 @@ -11,6 +11,7 @@
  #
  /usr/(.*/)?bin/java.* 	--	gen_context(system_u:object_r:java_exec_t,s0)
@@ -1448,7 +1448,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc
  /usr/bin/frysk		--	gen_context(system_u:object_r:java_exec_t,s0)
  /usr/bin/gappletviewer  --	gen_context(system_u:object_r:java_exec_t,s0)
  /usr/bin/gcj-dbtool	--	gen_context(system_u:object_r:java_exec_t,s0)
-@@ -20,5 +21,9 @@
+@@ -20,5 +21,11 @@
  /usr/bin/grmic  	--	gen_context(system_u:object_r:java_exec_t,s0)
  /usr/bin/grmiregistry  	--	gen_context(system_u:object_r:java_exec_t,s0)
  /usr/bin/jv-convert  	--	gen_context(system_u:object_r:java_exec_t,s0)
@@ -1458,9 +1458,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc
 +
 +/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
 +
++/usr/lib(64)?/openoffice\.org/program/soffice\.bin -- gen_context(system_u:object_r:java_exec_t,s0)
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.0.8/policy/modules/apps/java.if
 --- nsaserefpolicy/policy/modules/apps/java.if	2007-08-02 08:17:26.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/java.if	2007-09-20 08:56:23.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/apps/java.if	2007-09-20 17:57:24.000000000 -0400
 @@ -32,7 +32,7 @@
  ##	</summary>
  ## </param>
@@ -1480,7 +1482,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if
  	allow $1_javaplugin_t $2:fd use;
  	# Unrestricted inheritance from the caller.
  	allow $2 $1_javaplugin_t:process { noatsecure siginh rlimitinh };
-@@ -166,6 +165,57 @@
+@@ -166,6 +165,60 @@
  	optional_policy(`
  		xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t)
  	')
@@ -1528,17 +1530,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if
 +
 +	userdom_unpriv_usertype($1, $1_java_t)
 +
-+	allow $1_java_t self:process { execheap execmem };
++	allow $1_java_t self:process { getsched sigkill execheap execmem execstack };
 +
 +	domtrans_pattern($2, java_exec_t, $1_java_t)
 +
++	dev_read_urand($1_java_t)
++	dev_read_rand($1_java_t)
++
 +	optional_policy(`
 +		xserver_xdm_rw_shm($1_java_t)
 +	')
  ')
  
  ########################################
-@@ -219,3 +269,66 @@
+@@ -219,3 +272,66 @@
  	corecmd_search_bin($1)
  	domtrans_pattern($1, java_exec_t, java_t)
  ')
@@ -6387,7 +6392,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktal
 +term_search_ptys(ktalkd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-3.0.8/policy/modules/services/lpd.if
 --- nsaserefpolicy/policy/modules/services/lpd.if	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/lpd.if	2007-09-17 16:20:18.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/lpd.if	2007-09-20 18:02:10.000000000 -0400
 @@ -394,3 +394,22 @@
  
  	domtrans_pattern($2, lpr_exec_t, $1_lpr_t)
@@ -13255,7 +13260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  /tmp/gconfd-USER -d	gen_context(system_u:object_r:ROLE_tmp_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-08-27 09:18:17.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if	2007-09-20 15:46:46.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if	2007-09-20 18:02:36.000000000 -0400
 @@ -29,8 +29,9 @@
  	')
  
@@ -13849,7 +13854,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  		samba_stream_connect_winbind($1_t)
  	')
  
-@@ -954,21 +882,163 @@
+@@ -954,21 +882,164 @@
  ##	</summary>
  ## </param>
  #
@@ -13965,6 +13970,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +	userdom_poly_tmp_template($1)
 +
 +	optional_policy(`
++		cups_read_config($1_usertype)
 +		cups_stream_connect($1_usertype)
 +		cups_stream_connect_ptal($1_usertype)
 +	')
@@ -14019,7 +14025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	domain_interactive_fd($1_t)
  
  	typeattribute $1_devpts_t user_ptynode;
-@@ -977,23 +1047,51 @@
+@@ -977,23 +1048,51 @@
  	typeattribute $1_tmp_t user_tmpfile;
  	typeattribute $1_tty_device_t user_ttynode;
  
@@ -14082,7 +14088,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  	# port access is audited even if dac would not have allowed it, so dontaudit it here
  	corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
-@@ -1029,15 +1127,7 @@
+@@ -1029,15 +1128,7 @@
  	# and may change other protocols
  	tunable_policy(`user_tcp_server',`
  		corenet_tcp_bind_all_nodes($1_t)
@@ -14099,7 +14105,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	optional_policy(`
-@@ -1054,17 +1144,6 @@
+@@ -1054,17 +1145,6 @@
  		setroubleshoot_stream_connect($1_t)
  	')
  
@@ -14117,7 +14123,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  #######################################
-@@ -1102,6 +1181,8 @@
+@@ -1102,6 +1182,8 @@
  		class passwd { passwd chfn chsh rootok crontab };
  	')
  
@@ -14126,7 +14132,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	##############################
  	#
  	# Declarations
-@@ -1127,7 +1208,7 @@
+@@ -1127,7 +1209,7 @@
  	# $1_t local policy
  	#
  
@@ -14135,7 +14141,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	allow $1_t self:process { setexec setfscreate };
  
  	# Set password information for other users.
-@@ -1139,7 +1220,11 @@
+@@ -1139,7 +1221,11 @@
  	# Manipulate other users crontab.
  	allow $1_t self:passwd crontab;
  
@@ -14148,7 +14154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
-@@ -1642,9 +1727,11 @@
+@@ -1642,9 +1728,11 @@
  template(`userdom_user_home_content',`
  	gen_require(`
  		attribute $1_file_type;
@@ -14160,7 +14166,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	files_type($2)
  ')
  
-@@ -1894,10 +1981,46 @@
+@@ -1894,10 +1982,46 @@
  template(`userdom_manage_user_home_content_dirs',`
  	gen_require(`
  		type $1_home_dir_t, $1_home_t;
@@ -14208,7 +14214,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -3078,7 +3201,7 @@
+@@ -3078,7 +3202,7 @@
  #
  template(`userdom_tmp_filetrans_user_tmp',`
  	gen_require(`
@@ -14217,7 +14223,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -4615,6 +4738,24 @@
+@@ -4615,6 +4739,24 @@
  	files_list_home($1)
  	allow $1 home_dir_type:dir search_dir_perms;
  ')
@@ -14242,7 +14248,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  ########################################
  ## <summary>
-@@ -4633,6 +4774,14 @@
+@@ -4633,6 +4775,14 @@
  
  	files_list_home($1)
  	allow $1 home_dir_type:dir list_dir_perms;
@@ -14257,7 +14263,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -5323,7 +5472,7 @@
+@@ -5323,7 +5473,7 @@
  		attribute user_tmpfile;
  	')
  
@@ -14266,7 +14272,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -5559,3 +5708,376 @@
+@@ -5559,3 +5709,376 @@
  interface(`userdom_unconfined',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')

selinux-policy.spec

@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.8
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -362,6 +362,9 @@ exit 0
 %endif
 
 %changelog
+* Thu Sep 20 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-5
+- Fix java and mono to run in xguest account
+
 * Wed Sep 19 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-4
 - Fix to add xguest account when inititial install
 - Allow mono, java, wine to run in userdomains