- Fix label on /usr/bin/notepad, /usr/sbin/vboxadd-service
- Remove policycoreutils-python requirement except for minimum
This commit is contained in:
parent
6b7b0c1cdc
commit
23e7082b4b
@ -4242,12 +4242,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
ifdef(`TODO',`
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.6.31/policy/modules/apps/wine.fc
|
||||
--- nsaserefpolicy/policy/modules/apps/wine.fc 2009-07-14 14:19:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.31/policy/modules/apps/wine.fc 2009-09-09 15:38:24.000000000 -0400
|
||||
@@ -1,4 +1,21 @@
|
||||
+++ serefpolicy-3.6.31/policy/modules/apps/wine.fc 2009-09-15 15:06:46.000000000 -0400
|
||||
@@ -1,4 +1,22 @@
|
||||
-/usr/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
|
||||
+/usr/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
|
||||
+/usr/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0)
|
||||
+/usr/bin/regedit -- gen_context(system_u:object_r:wine_exec_t,s0)
|
||||
+/usr/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0)
|
||||
+/usr/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0)
|
||||
+/usr/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0)
|
||||
+
|
||||
@ -6805,7 +6806,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.31/policy/modules/roles/unconfineduser.fc
|
||||
--- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.31/policy/modules/roles/unconfineduser.fc 2009-09-09 15:38:24.000000000 -0400
|
||||
+++ serefpolicy-3.6.31/policy/modules/roles/unconfineduser.fc 2009-09-15 15:37:54.000000000 -0400
|
||||
@@ -0,0 +1,36 @@
|
||||
+# Add programs here which should not be confined by SELinux
|
||||
+# e.g.:
|
||||
@ -6813,7 +6814,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
|
||||
+/usr/bin/valgrind -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
||||
+/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
|
||||
+
|
||||
+/usr/sbin/vboxadd-service -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
||||
+/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
||||
+/usr/lib(64)/virtualbox/VirtualBox -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
||||
+
|
||||
@ -11531,6 +11532,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
|
||||
+ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
|
||||
')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.6.31/policy/modules/services/cyrus.te
|
||||
--- nsaserefpolicy/policy/modules/services/cyrus.te 2009-08-14 16:14:31.000000000 -0400
|
||||
+++ serefpolicy-3.6.31/policy/modules/services/cyrus.te 2009-09-15 17:43:50.000000000 -0400
|
||||
@@ -137,6 +137,7 @@
|
||||
optional_policy(`
|
||||
snmp_read_snmp_var_lib_files(cyrus_t)
|
||||
snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
|
||||
+ snmp_stream_connect(cyrus_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.31/policy/modules/services/dbus.if
|
||||
--- nsaserefpolicy/policy/modules/services/dbus.if 2009-07-28 13:28:33.000000000 -0400
|
||||
+++ serefpolicy-3.6.31/policy/modules/services/dbus.if 2009-09-09 15:38:24.000000000 -0400
|
||||
@ -17748,6 +17760,48 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.if serefpolicy-3.6.31/policy/modules/services/snmp.if
|
||||
--- nsaserefpolicy/policy/modules/services/snmp.if 2009-07-14 14:19:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.31/policy/modules/services/snmp.if 2009-09-15 17:44:18.000000000 -0400
|
||||
@@ -85,6 +85,26 @@
|
||||
dontaudit $1 snmpd_var_lib_t:file write;
|
||||
')
|
||||
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Connect to snmpd using a unix domain stream socket.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`snmp_stream_connect',`
|
||||
+ gen_require(`
|
||||
+ type snmpd_t, snmpd_var_lib_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_var_lib($1)
|
||||
+ stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t)
|
||||
+')
|
||||
+
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.6.31/policy/modules/services/snmp.te
|
||||
--- nsaserefpolicy/policy/modules/services/snmp.te 2009-08-14 16:14:31.000000000 -0400
|
||||
+++ serefpolicy-3.6.31/policy/modules/services/snmp.te 2009-09-15 15:34:40.000000000 -0400
|
||||
@@ -72,6 +72,8 @@
|
||||
corenet_udp_bind_snmp_port(snmpd_t)
|
||||
corenet_sendrecv_snmp_server_packets(snmpd_t)
|
||||
corenet_tcp_connect_agentx_port(snmpd_t)
|
||||
+corenet_tcp_bind_agentx_port(snmpd_t)
|
||||
+corenet_udp_bind_agentx_port(snmpd_t)
|
||||
|
||||
dev_list_sysfs(snmpd_t)
|
||||
dev_read_sysfs(snmpd_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.31/policy/modules/services/spamassassin.fc
|
||||
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2009-07-14 14:19:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.31/policy/modules/services/spamassassin.fc 2009-09-09 15:38:24.000000000 -0400
|
||||
@ -23541,7 +23595,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
########################################
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.31/policy/modules/system/modutils.te
|
||||
--- nsaserefpolicy/policy/modules/system/modutils.te 2009-08-14 16:14:31.000000000 -0400
|
||||
+++ serefpolicy-3.6.31/policy/modules/system/modutils.te 2009-09-14 13:14:55.000000000 -0400
|
||||
+++ serefpolicy-3.6.31/policy/modules/system/modutils.te 2009-09-15 15:38:39.000000000 -0400
|
||||
@@ -19,6 +19,7 @@
|
||||
type insmod_exec_t;
|
||||
application_domain(insmod_t, insmod_exec_t)
|
||||
@ -23581,7 +23635,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -91,19 +99,21 @@
|
||||
@@ -91,19 +99,23 @@
|
||||
# insmod local policy
|
||||
#
|
||||
|
||||
@ -23594,7 +23648,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# Read module config and dependency information
|
||||
-allow insmod_t { modules_conf_t modules_dep_t }:file read_file_perms;
|
||||
+list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t)
|
||||
+read_files_pattern(insmod_t, modules_conf_t, modules_conf_t)
|
||||
+list_dirs_pattern(insmod_t, modules_dep_t, modules_dep_t)
|
||||
+read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
|
||||
|
||||
can_exec(insmod_t, insmod_exec_t)
|
||||
@ -23605,7 +23661,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
kernel_write_proc_files(insmod_t)
|
||||
kernel_mount_debugfs(insmod_t)
|
||||
kernel_mount_kvmfs(insmod_t)
|
||||
@@ -112,6 +122,7 @@
|
||||
@@ -112,6 +124,7 @@
|
||||
kernel_read_kernel_sysctls(insmod_t)
|
||||
kernel_rw_kernel_sysctl(insmod_t)
|
||||
kernel_read_hotplug_sysctls(insmod_t)
|
||||
@ -23613,7 +23669,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
corecmd_exec_bin(insmod_t)
|
||||
corecmd_exec_shell(insmod_t)
|
||||
@@ -124,9 +135,7 @@
|
||||
@@ -124,9 +137,7 @@
|
||||
dev_read_sound(insmod_t)
|
||||
dev_write_sound(insmod_t)
|
||||
dev_rw_apm_bios(insmod_t)
|
||||
@ -23624,7 +23680,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
domain_signal_all_domains(insmod_t)
|
||||
domain_use_interactive_fds(insmod_t)
|
||||
@@ -144,11 +153,14 @@
|
||||
@@ -144,11 +155,14 @@
|
||||
files_write_kernel_modules(insmod_t)
|
||||
|
||||
fs_getattr_xattr_fs(insmod_t)
|
||||
@ -23639,7 +23695,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
logging_send_syslog_msg(insmod_t)
|
||||
logging_search_logs(insmod_t)
|
||||
@@ -157,19 +169,30 @@
|
||||
@@ -157,19 +171,30 @@
|
||||
|
||||
seutil_read_file_contexts(insmod_t)
|
||||
|
||||
@ -23673,7 +23729,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
hotplug_search_config(insmod_t)
|
||||
')
|
||||
|
||||
@@ -228,7 +251,7 @@
|
||||
@@ -228,7 +253,7 @@
|
||||
can_exec(update_modules_t, update_modules_exec_t)
|
||||
|
||||
# manage module loading configuration
|
||||
|
@ -20,7 +20,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.6.31
|
||||
Release: 4%{?dist}
|
||||
Release: 5%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -50,7 +50,7 @@ Url: http://oss.tresys.com/repos/refpolicy/
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
BuildArch: noarch
|
||||
BuildRequires: python gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-python >= %{POLICYCOREUTILSVER} bzip2
|
||||
Requires(pre): policycoreutils-python >= %{POLICYCOREUTILSVER} libsemanage >= 2.0.14-3
|
||||
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} libsemanage >= 2.0.14-3
|
||||
Requires(post): /usr/bin/bunzip2 /bin/mktemp /bin/awk
|
||||
Requires: checkpolicy >= %{CHECKPOLICYVER} m4
|
||||
Obsoletes: selinux-policy-devel
|
||||
@ -299,7 +299,7 @@ Summary: SELinux targeted base policy
|
||||
Provides: selinux-policy-base
|
||||
Group: System Environment/Base
|
||||
Obsoletes: selinux-policy-targeted-sources < 2
|
||||
Requires(pre): policycoreutils-python >= %{POLICYCOREUTILSVER}
|
||||
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
|
||||
Requires(pre): coreutils
|
||||
Requires(pre): selinux-policy = %{version}-%{release}
|
||||
Conflicts: audispd-plugins <= 1.7.7-1
|
||||
@ -353,7 +353,7 @@ exit 0
|
||||
Summary: SELinux minimum base policy
|
||||
Provides: selinux-policy-base
|
||||
Group: System Environment/Base
|
||||
Requires(pre): policycoreutils-python >= %{POLICYCOREUTILSVER}
|
||||
Requires(post): policycoreutils-python >= %{POLICYCOREUTILSVER}
|
||||
Requires(pre): coreutils
|
||||
Requires(pre): selinux-policy = %{version}-%{release}
|
||||
Conflicts: seedit
|
||||
@ -387,7 +387,7 @@ exit 0
|
||||
Summary: SELinux olpc base policy
|
||||
Group: System Environment/Base
|
||||
Provides: selinux-policy-base
|
||||
Requires(pre): policycoreutils-python >= %{POLICYCOREUTILSVER}
|
||||
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
|
||||
Requires(pre): coreutils
|
||||
Requires(pre): selinux-policy = %{version}-%{release}
|
||||
Conflicts: seedit
|
||||
@ -419,7 +419,7 @@ Group: System Environment/Base
|
||||
Provides: selinux-policy-base
|
||||
Obsoletes: selinux-policy-mls-sources < 2
|
||||
Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER} setransd
|
||||
Requires(pre): policycoreutils-python >= %{POLICYCOREUTILSVER}
|
||||
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
|
||||
Requires(pre): coreutils
|
||||
Requires(pre): selinux-policy = %{version}-%{release}
|
||||
Conflicts: seedit
|
||||
@ -447,6 +447,10 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Sep 15 2009 Dan Walsh <dwalsh@redhat.com> 3.6.31-5
|
||||
- Fix label on /usr/bin/notepad, /usr/sbin/vboxadd-service
|
||||
- Remove policycoreutils-python requirement except for minimum
|
||||
|
||||
* Mon Sep 14 2009 Dan Walsh <dwalsh@redhat.com> 3.6.31-4
|
||||
- Fix devicekit_disk_t to getattr on all domains sockets and fifo_files
|
||||
- Conflicts seedit (You can not use selinux-policy-targeted and seedit at the same time.)
|
||||
|
Loading…
Reference in New Issue
Block a user