rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Additional ports for vnc and allow qemu and libvirt to search all

Browse Source 
directories
This commit is contained in:
Daniel J Walsh 2008-02-02 15:42:44 +00:00
parent b19d470cd4
commit 11ac4bcde1
2 changed files with 22 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
policy-20071130.patch
View File

@ -3058,7 +3058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys
+userdom_dontaudit_write_unpriv_user_home_content_files(loadkeys_t) +userdom_dontaudit_write_unpriv_user_home_content_files(loadkeys_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.2.6/policy/modules/apps/mono.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.2.6/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2007-01-02 12:57:22.000000000 -0500 --- nsaserefpolicy/policy/modules/apps/mono.if 2007-01-02 12:57:22.000000000 -0500
+++ serefpolicy-3.2.6/policy/modules/apps/mono.if 2008-02-01 16:01:42.000000000 -0500 +++ serefpolicy-3.2.6/policy/modules/apps/mono.if 2008-02-02 10:25:13.000000000 -0500
@@ -18,3 +18,105 @@ @@ -18,3 +18,105 @@
corecmd_search_bin($1) corecmd_search_bin($1)
domtrans_pattern($1, mono_exec_t, mono_t) domtrans_pattern($1, mono_exec_t, mono_t)
@ -3154,7 +3154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if
+ +
+ userdom_unpriv_usertype($1, $1_mono_t) + userdom_unpriv_usertype($1, $1_mono_t)
+ +
+ allow $1_mono_t self:process { execheap execmem }; + allow $1_mono_t self:process { ptrace signal getsched execheap execmem };
+ allow $2 $1_mono_t:process { getattr ptrace noatsecure signal_perms }; + allow $2 $1_mono_t:process { getattr ptrace noatsecure signal_perms };
+ +
+ domtrans_pattern($2, mono_exec_t, $1_mono_t) + domtrans_pattern($2, mono_exec_t, $1_mono_t)
@ -3167,13 +3167,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if
+') +')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.2.6/policy/modules/apps/mono.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.2.6/policy/modules/apps/mono.te
--- nsaserefpolicy/policy/modules/apps/mono.te 2007-12-19 05:32:09.000000000 -0500 --- nsaserefpolicy/policy/modules/apps/mono.te 2007-12-19 05:32:09.000000000 -0500
+++ serefpolicy-3.2.6/policy/modules/apps/mono.te 2008-02-01 16:01:42.000000000 -0500 +++ serefpolicy-3.2.6/policy/modules/apps/mono.te 2008-02-02 10:38:18.000000000 -0500
@@ -15,7 +15,7 @@ @@ -15,7 +15,7 @@
# Local policy # Local policy
# #
-allow mono_t self:process { execheap execmem }; -allow mono_t self:process { execheap execmem };
+allow mono_t self:process { signal getsched execheap execmem }; +allow mono_t self:process { ptrace signal getsched execheap execmem };
userdom_generic_user_home_dir_filetrans_generic_user_home_content(mono_t,{ dir file lnk_file fifo_file sock_file }) userdom_generic_user_home_dir_filetrans_generic_user_home_content(mono_t,{ dir file lnk_file fifo_file sock_file })
@ -4818,7 +4818,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
######################################## ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.2.6/policy/modules/kernel/corenetwork.te.in diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.2.6/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-02-01 09:12:53.000000000 -0500 --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-02-01 09:12:53.000000000 -0500
+++ serefpolicy-3.2.6/policy/modules/kernel/corenetwork.te.in 2008-02-01 16:01:42.000000000 -0500 +++ serefpolicy-3.2.6/policy/modules/kernel/corenetwork.te.in 2008-02-02 10:38:16.000000000 -0500
@@ -82,6 +82,7 @@ @@ -82,6 +82,7 @@
network_port(clockspeed, udp,4041,s0) network_port(clockspeed, udp,4041,s0)
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0) network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
@ -4861,6 +4861,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(rsh, tcp,514,s0) network_port(rsh, tcp,514,s0)
network_port(rsync, tcp,873,s0, udp,873,s0) network_port(rsync, tcp,873,s0, udp,873,s0)
network_port(rwho, udp,513,s0) network_port(rwho, udp,513,s0)
@@ -171,6 +176,8 @@
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
network_port(vnc, tcp,5900,s0)
+# Reserve 50 ports for vnc/virt machines
+portcon tcp 5901-5950 gen_context(system_u:object_r:vnc_port_t, s0)
network_port(wccp, udp,2048,s0)
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in.cyphesis serefpolicy-3.2.6/policy/modules/kernel/corenetwork.te.in.cyphesis diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in.cyphesis serefpolicy-3.2.6/policy/modules/kernel/corenetwork.te.in.cyphesis
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in.cyphesis 1969-12-31 19:00:00.000000000 -0500 --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in.cyphesis 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.6/policy/modules/kernel/corenetwork.te.in.cyphesis 2008-02-01 16:01:42.000000000 -0500 +++ serefpolicy-3.2.6/policy/modules/kernel/corenetwork.te.in.cyphesis 2008-02-01 16:01:42.000000000 -0500
@ -23485,7 +23494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i
+') +')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.te serefpolicy-3.2.6/policy/modules/system/qemu.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.te serefpolicy-3.2.6/policy/modules/system/qemu.te
--- nsaserefpolicy/policy/modules/system/qemu.te 1969-12-31 19:00:00.000000000 -0500 --- nsaserefpolicy/policy/modules/system/qemu.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.6/policy/modules/system/qemu.te 2008-02-02 01:25:31.000000000 -0500 +++ serefpolicy-3.2.6/policy/modules/system/qemu.te 2008-02-02 10:40:41.000000000 -0500
@@ -0,0 +1,56 @@ @@ -0,0 +1,56 @@
+policy_module(qemu,1.0.0) +policy_module(qemu,1.0.0)
+ +
@ -23530,7 +23539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.t
+files_read_etc_files(qemu_t) +files_read_etc_files(qemu_t)
+files_read_usr_files(qemu_t) +files_read_usr_files(qemu_t)
+files_read_var_files(qemu_t) +files_read_var_files(qemu_t)
+files_search_var_lib(qemu_t) +files_search_all(qemu_t)
+ +
+fs_rw_anon_inodefs_files(qemu_t) +fs_rw_anon_inodefs_files(qemu_t)
+ +
@ -28115,7 +28124,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.i
+ +
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.2.6/policy/modules/system/virt.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.2.6/policy/modules/system/virt.te
--- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500 --- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.6/policy/modules/system/virt.te 2008-02-01 17:30:47.000000000 -0500 +++ serefpolicy-3.2.6/policy/modules/system/virt.te 2008-02-02 10:41:16.000000000 -0500
@@ -0,0 +1,123 @@ @@ -0,0 +1,123 @@
+ +
+policy_module(virt,1.0.0) +policy_module(virt,1.0.0)
@ -28192,7 +28201,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
+corenet_tcp_sendrecv_all_ports(virtd_t) +corenet_tcp_sendrecv_all_ports(virtd_t)
+corenet_tcp_bind_all_nodes(virtd_t) +corenet_tcp_bind_all_nodes(virtd_t)
+corenet_tcp_bind_vnc_port(virtd_t) +corenet_tcp_bind_vnc_port(virtd_t)
+
+corenet_rw_tun_tap_dev(virtd_t) +corenet_rw_tun_tap_dev(virtd_t)
+ +
+kernel_read_system_state(virtd_t) +kernel_read_system_state(virtd_t)
@ -28204,6 +28212,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
+ +
+files_read_etc_files(virtd_t) +files_read_etc_files(virtd_t)
+files_read_etc_runtime_files(virtd_t) +files_read_etc_runtime_files(virtd_t)
+files_search_all(virtd_t)
+ +
+libs_use_ld_so(virtd_t) +libs_use_ld_so(virtd_t)
+libs_use_shared_libs(virtd_t) +libs_use_shared_libs(virtd_t)

5
selinux-policy.spec
View File

@ -17,7 +17,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.2.6 Version: 3.2.6
Release: 1%{?dist} Release: 2%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -387,6 +387,9 @@ exit 0
%endif %endif
%changelog %changelog
* Sat Feb 2 2008 Dan Walsh <dwalsh@redhat.com> 3.2.6-2
- Additional ports for vnc and allow qemu and libvirt to search all directories
* Fri Feb 1 2008 Dan Walsh <dwalsh@redhat.com> 3.2.6-1 * Fri Feb 1 2008 Dan Walsh <dwalsh@redhat.com> 3.2.6-1
- Update to upstream - Update to upstream
- Add libvirt policy - Add libvirt policy