rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Additional changes for MLS policy

Browse Source
This commit is contained in:
Daniel J Walsh 2008-03-10 20:58:06 +00:00
parent af0084d92b
commit 2041ac3d49
2 changed files with 24 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
policy-20071130.patch
View File

@ -14490,7 +14490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
+cron_read_system_job_lib_files(hald_t) +cron_read_system_job_lib_files(hald_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.3.1/policy/modules/services/inetd.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.3.1/policy/modules/services/inetd.te
--- nsaserefpolicy/policy/modules/services/inetd.te 2007-12-19 05:32:17.000000000 -0500 --- nsaserefpolicy/policy/modules/services/inetd.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/inetd.te 2008-02-26 08:29:22.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/services/inetd.te 2008-03-10 16:49:55.000000000 -0400
@@ -30,6 +30,10 @@ @@ -30,6 +30,10 @@
type inetd_child_var_run_t; type inetd_child_var_run_t;
files_pid_file(inetd_child_var_run_t) files_pid_file(inetd_child_var_run_t)
@ -23383,7 +23383,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500 --- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-03-10 14:41:25.000000000 -0400 +++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-03-10 16:54:19.000000000 -0400
@@ -12,9 +12,15 @@ @@ -12,9 +12,15 @@
## </summary> ## </summary>
## </param> ## </param>
@ -23847,7 +23847,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# for when /tmp/.X11-unix is created by the system # for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use; allow $2 xdm_t:fd use;
@@ -542,25 +540,540 @@ @@ -542,25 +540,541 @@
allow $2 xdm_tmp_t:sock_file { read write }; allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write }; dontaudit $2 xdm_t:tcp_socket { read write };
@ -23995,6 +23995,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ class x_synthetic_event all_x_synthetic_event_perms; + class x_synthetic_event all_x_synthetic_event_perms;
+ +
+ attribute xdm_x_domain; + attribute xdm_x_domain;
+ attribute xserver_unconfined_type;
+ ') + ')
+ +
+ allow $1 self:x_cursor { create use setattr }; + allow $1 self:x_cursor { create use setattr };
@ -24084,6 +24085,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ allow $1 input_xevent_t:{ x_event x_synthetic_event } receive; + allow $1 input_xevent_t:{ x_event x_synthetic_event } receive;
+ allow $1 $1:{ x_event x_synthetic_event } { send receive }; + allow $1 $1:{ x_event x_synthetic_event } { send receive };
+ allow $1 default_xevent_t:x_event receive; + allow $1 default_xevent_t:x_event receive;
+ allow $1 default_xevent_t:x_synthetic_event send;
+ +
+ # can receive certain root window events + # can receive certain root window events
+ allow $1 focus_xevent_t:x_event receive; + allow $1 focus_xevent_t:x_event receive;
@ -24122,7 +24124,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ allow $1 xdm_xserver_t:x_device { getattr getfocus use setattr }; + allow $1 xdm_xserver_t:x_device { getattr getfocus use setattr };
+ allow $1 xdm_xserver_t:x_resource read; + allow $1 xdm_xserver_t:x_resource read;
+ allow $1 xdm_xserver_t:x_server grab; + allow $1 xdm_xserver_t:x_server grab;
+
+') +')
+ +
+####################################### +#######################################
@ -24394,7 +24395,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
') ')
') ')
@@ -593,26 +1106,44 @@ @@ -593,26 +1107,44 @@
# #
template(`xserver_use_user_fonts',` template(`xserver_use_user_fonts',`
gen_require(` gen_require(`
@ -24446,15 +24447,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Transition to a user Xauthority domain. ## Transition to a user Xauthority domain.
## </summary> ## </summary>
## <desc> ## <desc>
@@ -638,10 +1169,77 @@ @@ -638,10 +1170,77 @@
# #
template(`xserver_domtrans_user_xauth',` template(`xserver_domtrans_user_xauth',`
gen_require(` gen_require(`
- type $1_xauth_t, xauth_exec_t; - type $1_xauth_t, xauth_exec_t;
+ type xauth_exec_t, xauth_t; + type xauth_exec_t, xauth_t;
') + ')
+
- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
+ domtrans_pattern($2, xauth_exec_t, xauth_t) + domtrans_pattern($2, xauth_exec_t, xauth_t)
+') +')
+ +
@ -24519,14 +24519,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+template(`xserver_read_user_iceauth',` +template(`xserver_read_user_iceauth',`
+ gen_require(` + gen_require(`
+ type user_iceauth_home_t; + type user_iceauth_home_t;
+ ') ')
+
- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
+ # Read .Iceauthority file + # Read .Iceauthority file
+ allow $2 user_iceauth_home_t:file { getattr read }; + allow $2 user_iceauth_home_t:file { getattr read };
') ')
######################################## ########################################
@@ -671,10 +1269,10 @@ @@ -671,10 +1270,10 @@
# #
template(`xserver_user_home_dir_filetrans_user_xauth',` template(`xserver_user_home_dir_filetrans_user_xauth',`
gen_require(` gen_require(`
@ -24539,7 +24540,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
') ')
######################################## ########################################
@@ -760,7 +1358,7 @@ @@ -760,7 +1359,7 @@
type xconsole_device_t; type xconsole_device_t;
') ')
@ -24548,7 +24549,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
') ')
######################################## ########################################
@@ -860,6 +1458,25 @@ @@ -860,6 +1459,25 @@
######################################## ########################################
## <summary> ## <summary>
@ -24574,7 +24575,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Read xdm-writable configuration files. ## Read xdm-writable configuration files.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -914,6 +1531,7 @@ @@ -914,6 +1532,7 @@
files_search_tmp($1) files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms; allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t) create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@ -24582,7 +24583,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
') ')
######################################## ########################################
@@ -955,6 +1573,24 @@ @@ -955,6 +1574,24 @@
######################################## ########################################
## <summary> ## <summary>
@ -24607,7 +24608,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Execute the X server in the XDM X server domain. ## Execute the X server in the XDM X server domain.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -965,15 +1601,47 @@ @@ -965,15 +1602,47 @@
# #
interface(`xserver_domtrans_xdm_xserver',` interface(`xserver_domtrans_xdm_xserver',`
gen_require(` gen_require(`
@ -24656,7 +24657,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Make an X session script an entrypoint for the specified domain. ## Make an X session script an entrypoint for the specified domain.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -1123,7 +1791,7 @@ @@ -1123,7 +1792,7 @@
type xdm_xserver_tmp_t; type xdm_xserver_tmp_t;
') ')
@ -24665,7 +24666,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
') ')
######################################## ########################################
@@ -1312,3 +1980,83 @@ @@ -1312,3 +1981,83 @@
files_search_tmp($1) files_search_tmp($1)
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
') ')

5
selinux-policy.spec
View File

@ -17,7 +17,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.3.1 Version: 3.3.1
Release: 12%{?dist} Release: 13%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -388,6 +388,9 @@ exit 0
%endif %endif
%changelog %changelog
* Mon Mar 10 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-13
- Additional changes for MLS policy
* Thu Mar 6 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-12 * Thu Mar 6 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-12
- Fix initrc_context generation for MLS - Fix initrc_context generation for MLS