- Prepare policy for beta release

- Change some of the system domains back to unconfined
- Turn on some of the booleans
This commit is contained in:
Daniel J Walsh 2008-02-28 04:35:56 +00:00
parent 533c755e4d
commit 40ce26840e
2 changed files with 55 additions and 18 deletions

View File

@ -1363,6 +1363,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anacond
kudzu_domtrans(anaconda_t) kudzu_domtrans(anaconda_t)
') ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-3.3.1/policy/modules/admin/bootloader.te
--- nsaserefpolicy/policy/modules/admin/bootloader.te 2007-12-19 05:32:18.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/admin/bootloader.te 2008-02-27 23:26:17.000000000 -0500
@@ -215,3 +215,7 @@
userdom_dontaudit_search_staff_home_dirs(bootloader_t)
userdom_dontaudit_search_sysadm_home_dirs(bootloader_t)
')
+
+optional_policy(`
+ unconfined_domain(bootloader_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.3.1/policy/modules/admin/consoletype.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.3.1/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2008-02-18 14:30:19.000000000 -0500 --- nsaserefpolicy/policy/modules/admin/consoletype.te 2008-02-18 14:30:19.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/admin/consoletype.te 2008-02-26 08:29:22.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/admin/consoletype.te 2008-02-26 08:29:22.000000000 -0500
@ -22686,7 +22697,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500 --- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-02-27 18:04:08.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-02-27 23:02:25.000000000 -0500
@@ -15,6 +15,11 @@ @@ -15,6 +15,11 @@
template(`xserver_common_domain_template',` template(`xserver_common_domain_template',`
gen_require(` gen_require(`
@ -23412,7 +23423,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ allow $3 xselection_type:x_selection *; + allow $3 xselection_type:x_selection *;
+ allow $3 x_domain:x_cursor *; + allow $3 x_domain:x_cursor *;
+ allow $3 { x_domain remote_xclient_t }:x_client *; + allow $3 { x_domain remote_xclient_t }:x_client *;
+ allow $3 { x_domain x_server_domain }:x_device ~{ read }; + allow $3 { x_domain x_server_domain }:x_device *;
+ allow $3 xextension_type:x_extension *; + allow $3 xextension_type:x_extension *;
+ allow $3 { x_domain x_server_domain }:x_resource *; + allow $3 { x_domain x_server_domain }:x_resource *;
+ allow $3 xevent_type:{ x_event x_synthetic_event } *; + allow $3 xevent_type:{ x_event x_synthetic_event } *;
@ -23886,7 +23897,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+') +')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500 --- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-02-27 18:04:32.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-02-27 23:17:59.000000000 -0500
@@ -16,21 +16,79 @@ @@ -16,21 +16,79 @@
## <desc> ## <desc>
@ -24207,17 +24218,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
seutil_sigchld_newrole(xdm_t) seutil_sigchld_newrole(xdm_t)
') ')
@@ -343,8 +482,8 @@ @@ -343,8 +482,9 @@
') ')
optional_policy(` optional_policy(`
- unconfined_domain(xdm_t) - unconfined_domain(xdm_t)
+ unconfined_domain(xdm_xserver_t)
unconfined_domtrans(xdm_t) unconfined_domtrans(xdm_t)
+ unconfined_signal(xdm_t) + unconfined_signal(xdm_t)
ifndef(`distro_redhat',` ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem }; allow xdm_t self:process { execheap execmem };
@@ -380,7 +519,7 @@ @@ -380,7 +520,7 @@
allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search; dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
@ -24226,7 +24238,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types. # Label pid and temporary files with derived types.
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t) manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
@@ -392,6 +531,15 @@ @@ -392,6 +532,15 @@
can_exec(xdm_xserver_t, xkb_var_lib_t) can_exec(xdm_xserver_t, xkb_var_lib_t)
files_search_var_lib(xdm_xserver_t) files_search_var_lib(xdm_xserver_t)
@ -24242,7 +24254,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# VNC v4 module in X server # VNC v4 module in X server
corenet_tcp_bind_vnc_port(xdm_xserver_t) corenet_tcp_bind_vnc_port(xdm_xserver_t)
@@ -404,9 +552,17 @@ @@ -404,9 +553,17 @@
# to read ROLE_home_t - examine this in more detail # to read ROLE_home_t - examine this in more detail
# (xauth?) # (xauth?)
userdom_read_unpriv_users_home_content_files(xdm_xserver_t) userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
@ -24260,7 +24272,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',` tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_xserver_t) fs_manage_nfs_dirs(xdm_xserver_t)
fs_manage_nfs_files(xdm_xserver_t) fs_manage_nfs_files(xdm_xserver_t)
@@ -420,6 +576,22 @@ @@ -420,6 +577,22 @@
') ')
optional_policy(` optional_policy(`
@ -24283,7 +24295,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
resmgr_stream_connect(xdm_t) resmgr_stream_connect(xdm_t)
') ')
@@ -429,47 +601,125 @@ @@ -429,47 +602,125 @@
') ')
optional_policy(` optional_policy(`
@ -24924,7 +24936,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
######################################## ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.3.1/policy/modules/system/fstools.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.3.1/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2008-02-18 14:30:18.000000000 -0500 --- nsaserefpolicy/policy/modules/system/fstools.te 2008-02-18 14:30:18.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/system/fstools.te 2008-02-26 08:29:22.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/system/fstools.te 2008-02-27 23:25:29.000000000 -0500
@@ -97,6 +97,10 @@ @@ -97,6 +97,10 @@
fs_getattr_tmpfs_dirs(fsadm_t) fs_getattr_tmpfs_dirs(fsadm_t)
fs_read_tmpfs_symlinks(fsadm_t) fs_read_tmpfs_symlinks(fsadm_t)
@ -24936,13 +24948,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
mls_file_read_all_levels(fsadm_t) mls_file_read_all_levels(fsadm_t)
mls_file_write_all_levels(fsadm_t) mls_file_write_all_levels(fsadm_t)
@@ -184,4 +188,6 @@ @@ -184,4 +188,9 @@
optional_policy(` optional_policy(`
xen_append_log(fsadm_t) xen_append_log(fsadm_t)
+ xen_rw_image_files(fsadm_t) + xen_rw_image_files(fsadm_t)
') +')
+ +
+optional_policy(`
+ unconfined_domain(fsadm_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.3.1/policy/modules/system/hostname.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.3.1/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te 2008-02-18 14:30:18.000000000 -0500 --- nsaserefpolicy/policy/modules/system/hostname.te 2008-02-18 14:30:18.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/system/hostname.te 2008-02-26 08:29:22.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/system/hostname.te 2008-02-26 08:29:22.000000000 -0500
@ -26117,7 +26132,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+#logging_audisp_system_domain(zos_remote_t, zos_remote_exec_t) +#logging_audisp_system_domain(zos_remote_t, zos_remote_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.3.1/policy/modules/system/lvm.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.3.1/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2007-12-19 05:32:17.000000000 -0500 --- nsaserefpolicy/policy/modules/system/lvm.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/system/lvm.te 2008-02-26 08:29:22.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/system/lvm.te 2008-02-27 23:23:39.000000000 -0500
@@ -44,9 +44,9 @@ @@ -44,9 +44,9 @@
# Cluster LVM daemon local policy # Cluster LVM daemon local policy
# #
@ -26248,7 +26263,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
ifdef(`distro_redhat',` ifdef(`distro_redhat',`
# this is from the initrd: # this is from the initrd:
files_rw_isid_type_dirs(lvm_t) files_rw_isid_type_dirs(lvm_t)
@@ -289,5 +310,14 @@ @@ -289,5 +310,18 @@
') ')
optional_policy(` optional_policy(`
@ -26260,6 +26275,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
') ')
+ +
+optional_policy(` +optional_policy(`
+ unconfined_domain(lvm_t)
+')
+
+optional_policy(`
+ xen_append_log(lvm_t) + xen_append_log(lvm_t)
+ xen_dontaudit_rw_unix_stream_sockets(lvm_t) + xen_dontaudit_rw_unix_stream_sockets(lvm_t)
+') +')
@ -27818,7 +27837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
xen_append_log(ifconfig_t) xen_append_log(ifconfig_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.3.1/policy/modules/system/udev.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.3.1/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2007-12-19 05:32:17.000000000 -0500 --- nsaserefpolicy/policy/modules/system/udev.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/system/udev.te 2008-02-26 08:29:22.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/system/udev.te 2008-02-27 23:28:08.000000000 -0500
@@ -83,6 +83,7 @@ @@ -83,6 +83,7 @@
kernel_rw_unix_dgram_sockets(udev_t) kernel_rw_unix_dgram_sockets(udev_t)
kernel_dgram_send(udev_t) kernel_dgram_send(udev_t)
@ -27864,6 +27883,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
consoletype_exec(udev_t) consoletype_exec(udev_t)
') ')
@@ -240,5 +244,9 @@
')
optional_policy(`
+ unconfined_domain(udev_t)
+')
+
+optional_policy(`
xserver_read_xdm_pid(udev_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.3.1/policy/modules/system/unconfined.fc diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.3.1/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2007-12-12 11:35:28.000000000 -0500 --- nsaserefpolicy/policy/modules/system/unconfined.fc 2007-12-12 11:35:28.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/system/unconfined.fc 2008-02-26 08:29:22.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/system/unconfined.fc 2008-02-26 08:29:22.000000000 -0500
@ -32047,7 +32076,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if
+') +')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.3.1/policy/modules/system/xen.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.3.1/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2007-12-19 05:32:17.000000000 -0500 --- nsaserefpolicy/policy/modules/system/xen.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/system/xen.te 2008-02-26 08:29:22.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/system/xen.te 2008-02-27 23:16:46.000000000 -0500
@@ -6,6 +6,13 @@ @@ -6,6 +6,13 @@
# Declarations # Declarations
# #
@ -32211,7 +32240,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
init_rw_script_stream_sockets(xm_t) init_rw_script_stream_sockets(xm_t)
init_use_fds(xm_t) init_use_fds(xm_t)
@@ -363,6 +375,19 @@ @@ -363,6 +375,23 @@
sysnet_read_config(xm_t) sysnet_read_config(xm_t)
@ -32231,6 +32260,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
+ fs_manage_nfs_files(xend_t) + fs_manage_nfs_files(xend_t)
+ fs_read_nfs_symlinks(xend_t) + fs_read_nfs_symlinks(xend_t)
+') +')
+
+optional_policy(`
+ unconfined_domain(xend_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/auditadm.fc serefpolicy-3.3.1/policy/modules/users/auditadm.fc diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/auditadm.fc serefpolicy-3.3.1/policy/modules/users/auditadm.fc
--- nsaserefpolicy/policy/modules/users/auditadm.fc 1969-12-31 19:00:00.000000000 -0500 --- nsaserefpolicy/policy/modules/users/auditadm.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/users/auditadm.fc 2008-02-26 08:29:22.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/users/auditadm.fc 2008-02-26 08:29:22.000000000 -0500

View File

@ -388,6 +388,11 @@ exit 0
%endif %endif
%changelog %changelog
* Wed Feb 27 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-6
- Prepare policy for beta release
- Change some of the system domains back to unconfined
- Turn on some of the booleans
* Tue Feb 26 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-5 * Tue Feb 26 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-5
- Allow nsplugin_config execstack/execmem - Allow nsplugin_config execstack/execmem
- Allow nsplugin_t to read alsa config - Allow nsplugin_t to read alsa config
@ -396,7 +401,6 @@ exit 0
* Tue Feb 26 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-4 * Tue Feb 26 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-4
- Add cyphesis policy - Add cyphesis policy
* Tue Feb 26 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-2 * Tue Feb 26 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-2
- Fix Makefile.devel to build mls modules - Fix Makefile.devel to build mls modules
- Fix qemu to be more specific on labeling - Fix qemu to be more specific on labeling