rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Fix label on /usr/bin/notepad, /usr/sbin/vboxadd-service

Browse Source 
- Remove policycoreutils-python requirement except for minimum
This commit is contained in:
Daniel J Walsh 2009-09-15 21:45:12 +00:00
parent 6b7b0c1cdc
commit 23e7082b4b
2 changed files with 77 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
policy-F12.patch
View File

@ -4242,12 +4242,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`TODO',`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.6.31/policy/modules/apps/wine.fc
--- nsaserefpolicy/policy/modules/apps/wine.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.31/policy/modules/apps/wine.fc 2009-09-09 15:38:24.000000000 -0400
@@ -1,4 +1,21 @@
+++ serefpolicy-3.6.31/policy/modules/apps/wine.fc 2009-09-15 15:06:46.000000000 -0400
@@ -1,4 +1,22 @@
-/usr/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/regedit -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0)
+
@ -6805,7 +6806,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.31/policy/modules/roles/unconfineduser.fc
--- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.31/policy/modules/roles/unconfineduser.fc 2009-09-09 15:38:24.000000000 -0400
+++ serefpolicy-3.6.31/policy/modules/roles/unconfineduser.fc 2009-09-15 15:37:54.000000000 -0400
@@ -0,0 +1,36 @@
+# Add programs here which should not be confined by SELinux
+# e.g.:
@ -6813,7 +6814,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
+/usr/bin/valgrind -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
+
+/usr/sbin/vboxadd-service -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib(64)/virtualbox/VirtualBox -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
@ -11531,6 +11532,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.6.31/policy/modules/services/cyrus.te
--- nsaserefpolicy/policy/modules/services/cyrus.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.6.31/policy/modules/services/cyrus.te 2009-09-15 17:43:50.000000000 -0400
@@ -137,6 +137,7 @@
optional_policy(`
snmp_read_snmp_var_lib_files(cyrus_t)
snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
+ snmp_stream_connect(cyrus_t)
')
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.31/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2009-07-28 13:28:33.000000000 -0400
+++ serefpolicy-3.6.31/policy/modules/services/dbus.if 2009-09-09 15:38:24.000000000 -0400
@ -17748,6 +17760,48 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.if serefpolicy-3.6.31/policy/modules/services/snmp.if
--- nsaserefpolicy/policy/modules/services/snmp.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.31/policy/modules/services/snmp.if 2009-09-15 17:44:18.000000000 -0400
@@ -85,6 +85,26 @@
dontaudit $1 snmpd_var_lib_t:file write;
')
+
+########################################
+## <summary>
+## Connect to snmpd using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`snmp_stream_connect',`
+ gen_require(`
+ type snmpd_t, snmpd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t)
+')
+
########################################
## <summary>
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.6.31/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.6.31/policy/modules/services/snmp.te 2009-09-15 15:34:40.000000000 -0400
@@ -72,6 +72,8 @@
corenet_udp_bind_snmp_port(snmpd_t)
corenet_sendrecv_snmp_server_packets(snmpd_t)
corenet_tcp_connect_agentx_port(snmpd_t)
+corenet_tcp_bind_agentx_port(snmpd_t)
+corenet_udp_bind_agentx_port(snmpd_t)
dev_list_sysfs(snmpd_t)
dev_read_sysfs(snmpd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.31/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.31/policy/modules/services/spamassassin.fc 2009-09-09 15:38:24.000000000 -0400
@ -23541,7 +23595,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.31/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.6.31/policy/modules/system/modutils.te 2009-09-14 13:14:55.000000000 -0400
+++ serefpolicy-3.6.31/policy/modules/system/modutils.te 2009-09-15 15:38:39.000000000 -0400
@@ -19,6 +19,7 @@
type insmod_exec_t;
application_domain(insmod_t, insmod_exec_t)
@ -23581,7 +23635,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -91,19 +99,21 @@
@@ -91,19 +99,23 @@
# insmod local policy
#
@ -23594,7 +23648,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Read module config and dependency information
-allow insmod_t { modules_conf_t modules_dep_t }:file read_file_perms;
+list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t)
+read_files_pattern(insmod_t, modules_conf_t, modules_conf_t)
+list_dirs_pattern(insmod_t, modules_dep_t, modules_dep_t)
+read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
can_exec(insmod_t, insmod_exec_t)
@ -23605,7 +23661,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_write_proc_files(insmod_t)
kernel_mount_debugfs(insmod_t)
kernel_mount_kvmfs(insmod_t)
@@ -112,6 +122,7 @@
@@ -112,6 +124,7 @@
kernel_read_kernel_sysctls(insmod_t)
kernel_rw_kernel_sysctl(insmod_t)
kernel_read_hotplug_sysctls(insmod_t)
@ -23613,7 +23669,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_exec_bin(insmod_t)
corecmd_exec_shell(insmod_t)
@@ -124,9 +135,7 @@
@@ -124,9 +137,7 @@
dev_read_sound(insmod_t)
dev_write_sound(insmod_t)
dev_rw_apm_bios(insmod_t)
@ -23624,7 +23680,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_signal_all_domains(insmod_t)
domain_use_interactive_fds(insmod_t)
@@ -144,11 +153,14 @@
@@ -144,11 +155,14 @@
files_write_kernel_modules(insmod_t)
fs_getattr_xattr_fs(insmod_t)
@ -23639,7 +23695,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(insmod_t)
logging_search_logs(insmod_t)
@@ -157,19 +169,30 @@
@@ -157,19 +171,30 @@
seutil_read_file_contexts(insmod_t)
@ -23673,7 +23729,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
hotplug_search_config(insmod_t)
')
@@ -228,7 +251,7 @@
@@ -228,7 +253,7 @@
can_exec(update_modules_t, update_modules_exec_t)
# manage module loading configuration

16
selinux-policy.spec
View File

@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.31
Release: 4%{?dist}
Release: 5%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -50,7 +50,7 @@ Url: http://oss.tresys.com/repos/refpolicy/
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
BuildRequires: python gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-python >= %{POLICYCOREUTILSVER} bzip2
Requires(pre): policycoreutils-python >= %{POLICYCOREUTILSVER} libsemanage >= 2.0.14-3
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} libsemanage >= 2.0.14-3
Requires(post): /usr/bin/bunzip2 /bin/mktemp /bin/awk
Requires: checkpolicy >= %{CHECKPOLICYVER} m4
Obsoletes: selinux-policy-devel
@ -299,7 +299,7 @@ Summary: SELinux targeted base policy
Provides: selinux-policy-base
Group: System Environment/Base
Obsoletes: selinux-policy-targeted-sources < 2
Requires(pre): policycoreutils-python >= %{POLICYCOREUTILSVER}
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
Requires(pre): coreutils
Requires(pre): selinux-policy = %{version}-%{release}
Conflicts: audispd-plugins <= 1.7.7-1
@ -353,7 +353,7 @@ exit 0
Summary: SELinux minimum base policy
Provides: selinux-policy-base
Group: System Environment/Base
Requires(pre): policycoreutils-python >= %{POLICYCOREUTILSVER}
Requires(post): policycoreutils-python >= %{POLICYCOREUTILSVER}
Requires(pre): coreutils
Requires(pre): selinux-policy = %{version}-%{release}
Conflicts: seedit
@ -387,7 +387,7 @@ exit 0
Summary: SELinux olpc base policy
Group: System Environment/Base
Provides: selinux-policy-base
Requires(pre): policycoreutils-python >= %{POLICYCOREUTILSVER}
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
Requires(pre): coreutils
Requires(pre): selinux-policy = %{version}-%{release}
Conflicts: seedit
@ -419,7 +419,7 @@ Group: System Environment/Base
Provides: selinux-policy-base
Obsoletes: selinux-policy-mls-sources < 2
Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER} setransd
Requires(pre): policycoreutils-python >= %{POLICYCOREUTILSVER}
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
Requires(pre): coreutils
Requires(pre): selinux-policy = %{version}-%{release}
Conflicts: seedit
@ -447,6 +447,10 @@ exit 0
%endif
%changelog
* Mon Sep 15 2009 Dan Walsh <dwalsh@redhat.com> 3.6.31-5
- Fix label on /usr/bin/notepad, /usr/sbin/vboxadd-service
- Remove policycoreutils-python requirement except for minimum
* Mon Sep 14 2009 Dan Walsh <dwalsh@redhat.com> 3.6.31-4
- Fix devicekit_disk_t to getattr on all domains sockets and fifo_files
- Conflicts seedit (You can not use selinux-policy-targeted and seedit at the same time.)