diff --git a/policy-20081111.patch b/policy-20081111.patch index b8dba4f6..edaeeb4c 100644 --- a/policy-20081111.patch +++ b/policy-20081111.patch @@ -3442,7 +3442,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.1/policy/modules/apps/qemu.te --- nsaserefpolicy/policy/modules/apps/qemu.te 2008-11-11 16:13:42.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/apps/qemu.te 2008-12-04 16:29:05.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/apps/qemu.te 2008-12-23 11:34:57.000000000 -0500 @@ -6,6 +6,8 @@ # Declarations # @@ -3452,10 +3452,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ##

## Allow qemu to connect fully to the network -@@ -13,16 +15,98 @@ +@@ -13,16 +15,105 @@ ## gen_tunable(qemu_full_network, false) ++## ++##

++## Allow qemu to use usb devices ++##

++##
++gen_tunable(qemu_use_usb, true) ++ +## +##

+## Allow qemu to use nfs file systems @@ -3551,16 +3558,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`qemu_full_network',` allow qemu_t self:udp_socket create_socket_perms; -@@ -35,6 +119,30 @@ +@@ -35,6 +126,38 @@ corenet_tcp_connect_all_ports(qemu_t) ') +tunable_policy(`qemu_use_nfs',` ++ fs_manage_nfs_dirs(qemu_t) + fs_manage_nfs_files(qemu_t) +') + +tunable_policy(`qemu_use_cifs',` + fs_manage_cifs_dirs(qemu_t) ++ fs_manage_cifs_files(qemu_t) ++') ++ ++tunable_policy(`qemu_use_usb',` ++ dev_rw_usbfs(qemu_t) ++ fs_manage_dos_dirs(qemu_t) ++ fs_manage_dos_files(qemu_t) +') + +optional_policy(` @@ -20626,7 +20641,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.1/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/services/ssh.te 2008-12-18 10:03:59.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/services/ssh.te 2008-12-27 07:07:28.000000000 -0500 @@ -75,7 +75,7 @@ ubac_constrained(ssh_tmpfs_t) @@ -20678,7 +20693,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -318,6 +323,10 @@ +@@ -310,6 +315,8 @@ + kernel_search_key(sshd_t) + kernel_link_key(sshd_t) + ++fs_list_inotifyfs(sshd_t) ++ + term_use_all_user_ptys(sshd_t) + term_setattr_all_user_ptys(sshd_t) + term_relabelto_all_user_ptys(sshd_t) +@@ -318,6 +325,10 @@ corenet_tcp_bind_xserver_port(sshd_t) corenet_sendrecv_xserver_server_packets(sshd_t) @@ -20689,7 +20713,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd # ioctl is necessary for logout() processing for utmp entry and for w to -@@ -331,6 +340,14 @@ +@@ -331,6 +342,14 @@ ') optional_policy(` @@ -20704,7 +20728,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol daemontools_service_domain(sshd_t, sshd_exec_t) ') -@@ -349,7 +366,11 @@ +@@ -349,7 +368,11 @@ ') optional_policy(` @@ -20717,7 +20741,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_shell_domtrans(sshd_t) ') -@@ -408,6 +429,8 @@ +@@ -408,6 +431,8 @@ init_use_fds(ssh_keygen_t) init_use_script_ptys(ssh_keygen_t) @@ -26411,7 +26435,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.1/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-11-13 18:40:02.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/system/userdomain.if 2008-12-18 10:02:36.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/system/userdomain.if 2008-12-27 06:28:18.000000000 -0500 @@ -30,8 +30,9 @@ ') @@ -27739,7 +27763,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to use user ttys. ## ## -@@ -2965,6 +3150,24 @@ +@@ -2851,6 +3036,7 @@ + ') + + read_files_pattern($1,userdomain,userdomain) ++ read_lnk_files_pattern($1,userdomain,userdomain) + kernel_search_proc($1) + ') + +@@ -2965,6 +3151,24 @@ ######################################## ##

@@ -27764,7 +27796,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Send a dbus message to all user domains. ## ## -@@ -2981,3 +3184,264 @@ +@@ -2981,3 +3185,264 @@ allow $1 userdomain:dbus send_msg; ')