- Update rhcs policy

This commit is contained in:
Daniel J Walsh 2009-09-29 19:47:31 +00:00
parent 9b29bf3f78
commit 5b96313949
3 changed files with 69 additions and 23 deletions

View File

@ -1199,6 +1199,20 @@ rgmanager = module
#
rhcs = module
# Layer: services
# Module: aisexec
#
# RHCS - Red Hat Cluster Suite
#
aisexec = module
# Layer: services
# Module: rgmanager
#
# rgmanager
#
rgmanager = module
# Layer: services
# Module: rhgb
#

View File

@ -1199,6 +1199,20 @@ rgmanager = module
#
rhcs = module
# Layer: services
# Module: aisexec
#
# RHCS - Red Hat Cluster Suite
#
aisexec = module
# Layer: services
# Module: rgmanager
#
# rgmanager
#
rgmanager = module
# Layer: services
# Module: rhgb
#

View File

@ -2593,8 +2593,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.32/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.if 2009-09-23 10:34:03.000000000 -0400
@@ -0,0 +1,320 @@
+++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.if 2009-09-29 15:46:41.000000000 -0400
@@ -0,0 +1,322 @@
+
+## <summary>policy for nsplugin</summary>
+
@ -2686,6 +2686,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ role $1 types nsplugin_config_t;
+
+ allow nsplugin_t $2:process signull;
+ allow nsplugin_t $2:dbus send_msg;
+ allow $2 nsplugin_t:dbus send_msg;
+
+ list_dirs_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
+ read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
@ -3332,6 +3334,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+type openoffice_t;
+type openoffice_exec_t;
+application_domain(openoffice_t, openoffice_exec_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.6.32/policy/modules/apps/pulseaudio.if
--- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2009-08-31 13:30:04.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.if 2009-09-29 15:46:25.000000000 -0400
@@ -40,7 +40,7 @@
userdom_manage_tmpfs_role($1, pulseaudio_t)
allow $2 pulseaudio_t:dbus send_msg;
- allow pulseaudio_t $2:dbus send_msg;
+ allow pulseaudio_t $2:dbus { acquire_svc send_msg };
')
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te
--- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2009-08-31 13:30:04.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te 2009-09-16 10:03:08.000000000 -0400
@ -20311,7 +20325,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-08-28 14:58:20.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2009-09-21 08:22:39.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2009-09-29 15:34:33.000000000 -0400
@@ -34,6 +34,13 @@
## <desc>
@ -20727,7 +20741,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
hostname_exec(xdm_t)
')
@@ -542,6 +652,30 @@
@@ -542,6 +652,34 @@
')
optional_policy(`
@ -20739,6 +20753,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+optional_policy(`
+ pcscd_stream_connect(xdm_t)
+')
+
+optional_policy(`
+ pulseaudio_exec(xdm_t)
+ pulseaudio_dbus_chat(xdm_t)
+')
@ -20758,7 +20776,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole(xdm_t)
')
@@ -550,8 +684,9 @@
@@ -550,8 +688,9 @@
')
optional_policy(`
@ -20770,7 +20788,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
@@ -560,7 +695,6 @@
@@ -560,7 +699,6 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@ -20778,7 +20796,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
@@ -571,6 +705,10 @@
@@ -571,6 +709,10 @@
')
optional_policy(`
@ -20789,7 +20807,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
xfs_stream_connect(xdm_t)
')
@@ -587,10 +725,9 @@
@@ -587,10 +729,9 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@ -20801,7 +20819,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
allow xserver_t self:sock_file read_sock_file_perms;
@@ -602,9 +739,12 @@
@@ -602,9 +743,12 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@ -20814,7 +20832,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
@@ -616,13 +756,14 @@
@@ -616,13 +760,14 @@
type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t;
allow xserver_t { rootwindow_t x_domain }:x_drawable send;
@ -20830,7 +20848,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
@@ -635,9 +776,19 @@
@@ -635,9 +780,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@ -20850,7 +20868,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
@@ -671,7 +822,6 @@
@@ -671,7 +826,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@ -20858,7 +20876,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
@@ -681,9 +831,12 @@
@@ -681,9 +835,12 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@ -20872,7 +20890,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
@@ -698,8 +851,12 @@
@@ -698,8 +855,12 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@ -20885,7 +20903,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
@@ -721,6 +878,7 @@
@@ -721,6 +882,7 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@ -20893,7 +20911,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
modutils_domtrans_insmod(xserver_t)
@@ -743,7 +901,7 @@
@@ -743,7 +905,7 @@
')
ifdef(`enable_mls',`
@ -20902,7 +20920,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
')
@@ -775,12 +933,20 @@
@@ -775,12 +937,20 @@
')
optional_policy(`
@ -20924,7 +20942,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
unconfined_domtrans(xserver_t)
')
@@ -807,7 +973,7 @@
@@ -807,7 +977,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@ -20933,7 +20951,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
@@ -828,9 +994,14 @@
@@ -828,9 +998,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@ -20948,7 +20966,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
@@ -845,11 +1016,14 @@
@@ -845,11 +1020,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@ -20964,7 +20982,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
@@ -882,6 +1056,8 @@
@@ -882,6 +1060,8 @@
# X Server
# can read server-owned resources
allow x_domain xserver_t:x_resource read;
@ -20973,7 +20991,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# can mess with own clients
allow x_domain self:x_client { manage destroy };
@@ -906,6 +1082,8 @@
@@ -906,6 +1086,8 @@
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@ -20982,7 +21000,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# X Colormaps
# can use the default colormap
allow x_domain rootwindow_t:x_colormap { read use add_color };
@@ -973,17 +1151,49 @@
@@ -973,17 +1155,49 @@
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;