diff --git a/policy-20071130.patch b/policy-20071130.patch index b08228b6..6eb24bcd 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -1363,6 +1363,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anacond kudzu_domtrans(anaconda_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-3.3.1/policy/modules/admin/bootloader.te +--- nsaserefpolicy/policy/modules/admin/bootloader.te 2007-12-19 05:32:18.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/admin/bootloader.te 2008-02-27 23:26:17.000000000 -0500 +@@ -215,3 +215,7 @@ + userdom_dontaudit_search_staff_home_dirs(bootloader_t) + userdom_dontaudit_search_sysadm_home_dirs(bootloader_t) + ') ++ ++optional_policy(` ++ unconfined_domain(bootloader_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.3.1/policy/modules/admin/consoletype.te --- nsaserefpolicy/policy/modules/admin/consoletype.te 2008-02-18 14:30:19.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/admin/consoletype.te 2008-02-26 08:29:22.000000000 -0500 @@ -22686,7 +22697,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-02-27 18:04:08.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-02-27 23:02:25.000000000 -0500 @@ -15,6 +15,11 @@ template(`xserver_common_domain_template',` gen_require(` @@ -23412,7 +23423,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + allow $3 xselection_type:x_selection *; + allow $3 x_domain:x_cursor *; + allow $3 { x_domain remote_xclient_t }:x_client *; -+ allow $3 { x_domain x_server_domain }:x_device ~{ read }; ++ allow $3 { x_domain x_server_domain }:x_device *; + allow $3 xextension_type:x_extension *; + allow $3 { x_domain x_server_domain }:x_resource *; + allow $3 xevent_type:{ x_event x_synthetic_event } *; @@ -23886,7 +23897,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-02-27 18:04:32.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-02-27 23:17:59.000000000 -0500 @@ -16,21 +16,79 @@ ## @@ -24207,17 +24218,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser seutil_sigchld_newrole(xdm_t) ') -@@ -343,8 +482,8 @@ +@@ -343,8 +482,9 @@ ') optional_policy(` - unconfined_domain(xdm_t) ++ unconfined_domain(xdm_xserver_t) unconfined_domtrans(xdm_t) + unconfined_signal(xdm_t) ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -380,7 +519,7 @@ +@@ -380,7 +520,7 @@ allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xdm_xserver_t xdm_var_lib_t:dir search; @@ -24226,7 +24238,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t) -@@ -392,6 +531,15 @@ +@@ -392,6 +532,15 @@ can_exec(xdm_xserver_t, xkb_var_lib_t) files_search_var_lib(xdm_xserver_t) @@ -24242,7 +24254,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # VNC v4 module in X server corenet_tcp_bind_vnc_port(xdm_xserver_t) -@@ -404,9 +552,17 @@ +@@ -404,9 +553,17 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_unpriv_users_home_content_files(xdm_xserver_t) @@ -24260,7 +24272,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_xserver_t) fs_manage_nfs_files(xdm_xserver_t) -@@ -420,6 +576,22 @@ +@@ -420,6 +577,22 @@ ') optional_policy(` @@ -24283,7 +24295,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser resmgr_stream_connect(xdm_t) ') -@@ -429,47 +601,125 @@ +@@ -429,47 +602,125 @@ ') optional_policy(` @@ -24924,7 +24936,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.3.1/policy/modules/system/fstools.te --- nsaserefpolicy/policy/modules/system/fstools.te 2008-02-18 14:30:18.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/fstools.te 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/system/fstools.te 2008-02-27 23:25:29.000000000 -0500 @@ -97,6 +97,10 @@ fs_getattr_tmpfs_dirs(fsadm_t) fs_read_tmpfs_symlinks(fsadm_t) @@ -24936,13 +24948,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool mls_file_read_all_levels(fsadm_t) mls_file_write_all_levels(fsadm_t) -@@ -184,4 +188,6 @@ +@@ -184,4 +188,9 @@ optional_policy(` xen_append_log(fsadm_t) + xen_rw_image_files(fsadm_t) - ') ++') + ++optional_policy(` ++ unconfined_domain(fsadm_t) + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.3.1/policy/modules/system/hostname.te --- nsaserefpolicy/policy/modules/system/hostname.te 2008-02-18 14:30:18.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/system/hostname.te 2008-02-26 08:29:22.000000000 -0500 @@ -26117,7 +26132,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin +#logging_audisp_system_domain(zos_remote_t, zos_remote_exec_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.3.1/policy/modules/system/lvm.te --- nsaserefpolicy/policy/modules/system/lvm.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/lvm.te 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/system/lvm.te 2008-02-27 23:23:39.000000000 -0500 @@ -44,9 +44,9 @@ # Cluster LVM daemon local policy # @@ -26248,7 +26263,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te ifdef(`distro_redhat',` # this is from the initrd: files_rw_isid_type_dirs(lvm_t) -@@ -289,5 +310,14 @@ +@@ -289,5 +310,18 @@ ') optional_policy(` @@ -26260,6 +26275,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te ') + +optional_policy(` ++ unconfined_domain(lvm_t) ++') ++ ++optional_policy(` + xen_append_log(lvm_t) + xen_dontaudit_rw_unix_stream_sockets(lvm_t) +') @@ -27818,7 +27837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet xen_append_log(ifconfig_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.3.1/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/udev.te 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/system/udev.te 2008-02-27 23:28:08.000000000 -0500 @@ -83,6 +83,7 @@ kernel_rw_unix_dgram_sockets(udev_t) kernel_dgram_send(udev_t) @@ -27864,6 +27883,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t consoletype_exec(udev_t) ') +@@ -240,5 +244,9 @@ + ') + + optional_policy(` ++ unconfined_domain(udev_t) ++') ++ ++optional_policy(` + xserver_read_xdm_pid(udev_t) + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.3.1/policy/modules/system/unconfined.fc --- nsaserefpolicy/policy/modules/system/unconfined.fc 2007-12-12 11:35:28.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/system/unconfined.fc 2008-02-26 08:29:22.000000000 -0500 @@ -32047,7 +32076,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.3.1/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/xen.te 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/system/xen.te 2008-02-27 23:16:46.000000000 -0500 @@ -6,6 +6,13 @@ # Declarations # @@ -32211,7 +32240,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te init_rw_script_stream_sockets(xm_t) init_use_fds(xm_t) -@@ -363,6 +375,19 @@ +@@ -363,6 +375,23 @@ sysnet_read_config(xm_t) @@ -32231,6 +32260,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te + fs_manage_nfs_files(xend_t) + fs_read_nfs_symlinks(xend_t) +') ++ ++optional_policy(` ++ unconfined_domain(xend_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/auditadm.fc serefpolicy-3.3.1/policy/modules/users/auditadm.fc --- nsaserefpolicy/policy/modules/users/auditadm.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/users/auditadm.fc 2008-02-26 08:29:22.000000000 -0500 diff --git a/selinux-policy.spec b/selinux-policy.spec index 58744696..599e9eb4 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -388,6 +388,11 @@ exit 0 %endif %changelog +* Wed Feb 27 2008 Dan Walsh 3.3.1-6 +- Prepare policy for beta release +- Change some of the system domains back to unconfined +- Turn on some of the booleans + * Tue Feb 26 2008 Dan Walsh 3.3.1-5 - Allow nsplugin_config execstack/execmem - Allow nsplugin_t to read alsa config @@ -396,7 +401,6 @@ exit 0 * Tue Feb 26 2008 Dan Walsh 3.3.1-4 - Add cyphesis policy - * Tue Feb 26 2008 Dan Walsh 3.3.1-2 - Fix Makefile.devel to build mls modules - Fix qemu to be more specific on labeling