rpms/selinux-policy
6
0
Fork 0
Code Issues Pull Requests Releases Activity

- Add livecd policy

Browse Source
This commit is contained in:
Daniel J Walsh 2008-06-04 17:26:52 +00:00
parent 91ec07f1df
commit 15f71c5d61
3 changed files with 42 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
modules-targeted.conf
View File

@ -1668,3 +1668,10 @@ xguest = module
# IMAP and POP3 email servers # IMAP and POP3 email servers
# #
courier = module courier = module
# Layer: apps
# Module: livecd
#
# livecd creator
#
livecd = module

53
policy-20080509.patch
View File

@ -1898,7 +1898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc
+#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) +#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.4.1/policy/modules/apps/gnome.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.4.1/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2008-05-23 09:15:06.000000000 -0400 --- nsaserefpolicy/policy/modules/apps/gnome.if 2008-05-23 09:15:06.000000000 -0400
+++ serefpolicy-3.4.1/policy/modules/apps/gnome.if 2008-06-03 16:01:51.000000000 -0400 +++ serefpolicy-3.4.1/policy/modules/apps/gnome.if 2008-06-04 11:11:07.509407000 -0400
@@ -36,6 +36,7 @@ @@ -36,6 +36,7 @@
gen_require(` gen_require(`
type gconfd_exec_t, gconf_etc_t; type gconfd_exec_t, gconf_etc_t;
@ -1907,7 +1907,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
') ')
############################## ##############################
@@ -44,41 +45,31 @@ @@ -44,41 +45,32 @@
# #
type $1_gconfd_t, gnomedomain; type $1_gconfd_t, gnomedomain;
@ -1923,6 +1923,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
- -
- type $1_gconf_tmp_t; - type $1_gconf_tmp_t;
- files_tmp_file($1_gconf_tmp_t) - files_tmp_file($1_gconf_tmp_t)
+ typealias gnome_home_t alias $1_gnome_home_t;
+ typealias gconf_home_t alias $1_gconf_home_t; + typealias gconf_home_t alias $1_gconf_home_t;
+ typealias gconf_tmp_t alias $1_gconf_tmp_t; + typealias gconf_tmp_t alias $1_gconf_tmp_t;
@ -1964,7 +1965,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
ps_process_pattern($2,$1_gconfd_t) ps_process_pattern($2,$1_gconfd_t)
@@ -86,6 +77,10 @@ @@ -86,6 +78,10 @@
files_read_etc_files($1_gconfd_t) files_read_etc_files($1_gconfd_t)
@ -1975,7 +1976,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
libs_use_ld_so($1_gconfd_t) libs_use_ld_so($1_gconfd_t)
libs_use_shared_libs($1_gconfd_t) libs_use_shared_libs($1_gconfd_t)
@@ -93,11 +88,8 @@ @@ -93,11 +89,8 @@
logging_send_syslog_msg($1_gconfd_t) logging_send_syslog_msg($1_gconfd_t)
@ -1989,7 +1990,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
optional_policy(` optional_policy(`
nscd_dontaudit_search_pid($1_gconfd_t) nscd_dontaudit_search_pid($1_gconfd_t)
@@ -107,6 +99,10 @@ @@ -107,6 +100,10 @@
xserver_use_xdm_fds($1_gconfd_t) xserver_use_xdm_fds($1_gconfd_t)
xserver_rw_xdm_pipes($1_gconfd_t) xserver_rw_xdm_pipes($1_gconfd_t)
') ')
@ -2000,7 +2001,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
') ')
######################################## ########################################
@@ -128,11 +124,28 @@ @@ -128,11 +125,28 @@
template(`gnome_stream_connect_gconf_template',` template(`gnome_stream_connect_gconf_template',`
gen_require(` gen_require(`
type $1_gconfd_t; type $1_gconfd_t;
@ -2032,7 +2033,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
') ')
######################################## ########################################
@@ -141,7 +154,7 @@ @@ -141,7 +155,7 @@
## </summary> ## </summary>
## <desc> ## <desc>
## <p> ## <p>
@ -2041,7 +2042,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
## </p> ## </p>
## <p> ## <p>
## This is a templated interface, and should only ## This is a templated interface, and should only
@@ -170,6 +183,30 @@ @@ -170,6 +184,30 @@
######################################## ########################################
## <summary> ## <summary>
@ -2072,7 +2073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
## manage gnome homedir content (.config) ## manage gnome homedir content (.config)
## </summary> ## </summary>
## <param name="userdomain_prefix"> ## <param name="userdomain_prefix">
@@ -186,9 +223,29 @@ @@ -186,9 +224,29 @@
# #
template(`gnome_manage_user_gnome_config',` template(`gnome_manage_user_gnome_config',`
gen_require(` gen_require(`
@ -3200,7 +3201,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.f
+/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0) +/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.4.1/policy/modules/apps/livecd.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.4.1/policy/modules/apps/livecd.if
--- nsaserefpolicy/policy/modules/apps/livecd.if 1969-12-31 19:00:00.000000000 -0500 --- nsaserefpolicy/policy/modules/apps/livecd.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.4.1/policy/modules/apps/livecd.if 2008-06-03 09:53:54.000000000 -0400 +++ serefpolicy-3.4.1/policy/modules/apps/livecd.if 2008-06-04 13:26:20.582917000 -0400
@@ -0,0 +1,56 @@ @@ -0,0 +1,56 @@
+ +
+## <summary>policy for livecd</summary> +## <summary>policy for livecd</summary>
@ -29897,8 +29898,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.f
+/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.if serefpolicy-3.4.1/policy/modules/system/qemu.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.if serefpolicy-3.4.1/policy/modules/system/qemu.if
--- nsaserefpolicy/policy/modules/system/qemu.if 1969-12-31 19:00:00.000000000 -0500 --- nsaserefpolicy/policy/modules/system/qemu.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.4.1/policy/modules/system/qemu.if 2008-06-03 09:53:56.000000000 -0400 +++ serefpolicy-3.4.1/policy/modules/system/qemu.if 2008-06-04 13:13:44.213306000 -0400
@@ -0,0 +1,313 @@ @@ -0,0 +1,318 @@
+ +
+## <summary>policy for qemu</summary> +## <summary>policy for qemu</summary>
+ +
@ -30142,7 +30143,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i
+ domain_use_interactive_fds($1_t) + domain_use_interactive_fds($1_t)
+ +
+ allow $1_t self:capability { dac_read_search dac_override }; + allow $1_t self:capability { dac_read_search dac_override };
+ allow $1_t self:process { execstack execmem signal getsched }; + allow $1_t self:process { execstack execmem signal getsched signull };
+ allow $1_t self:tcp_socket create_stream_socket_perms; + allow $1_t self:tcp_socket create_stream_socket_perms;
+ +
+ ## internal communication is often done using fifo and unix sockets. + ## internal communication is often done using fifo and unix sockets.
@ -30159,6 +30160,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i
+ manage_files_pattern($1_t,$1_tmp_t,$1_tmp_t) + manage_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
+ files_tmp_filetrans($1_t, $1_tmp_t, { file dir }) + files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
+ +
+ dev_read_sound($1_t)
+ dev_write_sound($1_t)
+
+ corenet_all_recvfrom_unlabeled($1_t) + corenet_all_recvfrom_unlabeled($1_t)
+ corenet_all_recvfrom_netlabel($1_t) + corenet_all_recvfrom_netlabel($1_t)
+ corenet_tcp_sendrecv_all_if($1_t) + corenet_tcp_sendrecv_all_if($1_t)
@ -30189,6 +30193,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i
+ term_getattr_pty_fs($1_t) + term_getattr_pty_fs($1_t)
+ term_use_generic_ptys($1_t) + term_use_generic_ptys($1_t)
+ +
+ auth_use_nsswitch($1_t)
+
+ libs_use_ld_so($1_t) + libs_use_ld_so($1_t)
+ libs_use_shared_libs($1_t) + libs_use_shared_libs($1_t)
+ +
@ -32074,7 +32080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+ +
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.4.1/policy/modules/system/unconfined.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.4.1/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-05-29 15:55:43.000000000 -0400 --- nsaserefpolicy/policy/modules/system/unconfined.te 2008-05-29 15:55:43.000000000 -0400
+++ serefpolicy-3.4.1/policy/modules/system/unconfined.te 2008-06-03 11:34:41.000000000 -0400 +++ serefpolicy-3.4.1/policy/modules/system/unconfined.te 2008-06-04 13:26:18.902281000 -0400
@@ -1,40 +1,79 @@ @@ -1,40 +1,79 @@
-policy_module(unconfined, 2.2.1) -policy_module(unconfined, 2.2.1)
@ -32242,20 +32248,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
') ')
optional_policy(` optional_policy(`
@@ -123,11 +176,7 @@ @@ -123,11 +176,11 @@
') ')
optional_policy(` optional_policy(`
- inn_domtrans(unconfined_t) - inn_domtrans(unconfined_t)
-')
-
-optional_policy(`
- java_domtrans(unconfined_t)
+ iptables_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + iptables_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
') ')
optional_policy(` optional_policy(`
@@ -139,18 +188,6 @@ - java_domtrans(unconfined_t)
+ livecd_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
@@ -139,18 +192,6 @@
') ')
optional_policy(` optional_policy(`
@ -32274,7 +32281,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
prelink_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) prelink_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
') ')
@@ -159,38 +196,46 @@ @@ -159,38 +200,46 @@
') ')
optional_policy(` optional_policy(`
@ -32334,7 +32341,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
') ')
optional_policy(` optional_policy(`
@@ -198,23 +243,33 @@ @@ -198,23 +247,33 @@
') ')
optional_policy(` optional_policy(`
@ -32373,7 +32380,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
') ')
######################################## ########################################
@@ -224,14 +279,35 @@ @@ -224,14 +283,35 @@
allow unconfined_execmem_t self:process { execstack execmem }; allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t) unconfined_domain_noaudit(unconfined_execmem_t)

7
selinux-policy.spec
View File

@ -17,7 +17,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.4.1 Version: 3.4.1
Release: 3%{?dist} Release: 4%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -375,7 +375,10 @@ exit 0
%endif %endif
%changelog %changelog
* Fri May 9 2008 Dan Walsh <dwalsh@redhat.com> 3.4.1-3 * Wed Jun 4 2008 Dan Walsh <dwalsh@redhat.com> 3.4.1-4
- Add livecd policy
* Wed Jun 4 2008 Dan Walsh <dwalsh@redhat.com> 3.4.1-3
- Dontaudit search of admin_home for init_system_domain - Dontaudit search of admin_home for init_system_domain
- Rewrite of xace interfaces - Rewrite of xace interfaces
- Lots of new fs_list_inotify - Lots of new fs_list_inotify