- Add new devices

2007-07-11 20:45:02 +00:00 · 2007-07-11 20:45:02 +00:00 · 2796de2a45
parent 154d8231c3
commit 2796de2a45
2 changed files with 70 additions and 5 deletions
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@ -1924,8 +1924,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.0.2/policy/modules/kernel/devices.fc
 --- nsaserefpolicy/policy/modules/kernel/devices.fc	2007-06-15 14:54:30.000000000 -0400
-+++ serefpolicy-3.0.2/policy/modules/kernel/devices.fc	2007-07-11 10:06:28.000000000 -0400
-@@ -127,3 +127,7 @@
+++ serefpolicy-3.0.2/policy/modules/kernel/devices.fc	2007-07-11 16:42:08.000000000 -0400
+@@ -53,7 +53,7 @@
+ /dev/radio.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/random		-c	gen_context(system_u:object_r:random_device_t,s0)
+ /dev/raw1394.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+-/dev/(misc/)?rtc	-c	gen_context(system_u:object_r:clock_device_t,s0)
+/dev/(misc/)?rtc[0-9]*	-c	gen_context(system_u:object_r:clock_device_t,s0)
+ /dev/sequencer		-c	gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/sequencer2		-c	gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/smpte.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+@@ -65,6 +65,7 @@
+ /dev/tlk[0-3]		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/urandom		-c	gen_context(system_u:object_r:urandom_device_t,s0)
+ /dev/usbdev.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
+/dev/usb[0-9]+		-c	gen_context(system_u:object_r:usb_device_t,s0)
+ /dev/usblp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
+ ifdef(`distro_suse', `
+ /dev/usbscanner		-c	gen_context(system_u:object_r:scanner_device_t,s0)
+@@ -127,3 +128,7 @@
 /var/named/chroot/dev/random -c	gen_context(system_u:object_r:random_device_t,s0)
 /var/named/chroot/dev/zero -c	gen_context(system_u:object_r:zero_device_t,s0)
 ')
@ -2436,6 +2453,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag
 	typeattribute $1 fixed_disk_raw_write;
 ')
 
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-3.0.2/policy/modules/kernel/terminal.fc
+--- nsaserefpolicy/policy/modules/kernel/terminal.fc	2007-05-29 14:10:48.000000000 -0400
+++ serefpolicy-3.0.2/policy/modules/kernel/terminal.fc	2007-07-11 16:39:30.000000000 -0400
+@@ -8,6 +8,7 @@
+ /dev/dcbri[0-9]+	-c	gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/hvc.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/hvsi.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
+/dev/i2c[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/ircomm[0-9]+	-c	gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/ip2[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/isdn.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.te serefpolicy-3.0.2/policy/modules/kernel/terminal.te
 --- nsaserefpolicy/policy/modules/kernel/terminal.te	2007-06-15 14:54:30.000000000 -0400
 +++ serefpolicy-3.0.2/policy/modules/kernel/terminal.te	2007-07-11 10:06:28.000000000 -0400
@ -3544,7 +3572,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 +/var/lib/misc(/.*)?			gen_context(system_u:object_r:system_crond_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.0.2/policy/modules/services/cron.if
 --- nsaserefpolicy/policy/modules/services/cron.if	2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.2/policy/modules/services/cron.if	2007-07-11 10:06:28.000000000 -0400
+++ serefpolicy-3.0.2/policy/modules/services/cron.if	2007-07-11 15:52:10.000000000 -0400
@@ -35,6 +35,7 @@
 #
 template(`cron_per_role_template',`
@ -3666,6 +3694,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 
 	tunable_policy(`fcron_crond',`
 		# fcron wants an instant update of a crontab change for the administrator
+@@ -439,6 +421,25 @@
+ 
+ ########################################
+ ## <summary>
+##	Read temporary files from cron.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_read_tmp_files',`
+	gen_require(`
+		type crond_tmp_t;
+	')
+
+	files_search_tmp($1)
+	allow $1 crond_tmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+ ##	Read, and write cron daemon TCP sockets.
+ ## </summary>
+ ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.0.2/policy/modules/services/cron.te
 --- nsaserefpolicy/policy/modules/services/cron.te	2007-07-03 07:06:27.000000000 -0400
 +++ serefpolicy-3.0.2/policy/modules/services/cron.te	2007-07-11 10:06:28.000000000 -0400
@ -4994,7 +5048,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.0.2/policy/modules/services/mta.te
 --- nsaserefpolicy/policy/modules/services/mta.te	2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.2/policy/modules/services/mta.te	2007-07-11 10:06:28.000000000 -0400
+++ serefpolicy-3.0.2/policy/modules/services/mta.te	2007-07-11 15:52:32.000000000 -0400
@@ -27,6 +27,7 @@
 
 type sendmail_exec_t;
@ -5048,6 +5102,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 ')
 
 optional_policy(`
+@@ -73,6 +103,7 @@
+ 
+ optional_policy(`
+ 	cron_read_system_job_tmp_files(system_mail_t)
+	cron_read_tmp_files(system_mail_t)
+ 	cron_dontaudit_write_pipes(system_mail_t)
+ ')
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.0.2/policy/modules/services/networkmanager.fc
 --- nsaserefpolicy/policy/modules/services/networkmanager.fc	2007-05-29 14:10:57.000000000 -0400
 +++ serefpolicy-3.0.2/policy/modules/services/networkmanager.fc	2007-07-11 10:06:28.000000000 -0400
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.2
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -356,6 +356,9 @@ exit 0
 %endif

 %changelog
+* Wed Jul 11 2007 Dan Walsh <dwalsh@redhat.com> 3.0.2-5
+- Add new devices
+
 * Tue Jul 10 2007 Dan Walsh <dwalsh@redhat.com> 3.0.2-4
 - Add brctl policy