- Update rhcs policy

2009-09-29 19:47:31 +00:00 · 2009-09-29 19:47:31 +00:00 · 5b96313949
commit 5b96313949
parent 9b29bf3f78
3 changed files with 69 additions and 23 deletions
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@ -1199,6 +1199,20 @@ rgmanager = module
 #
 rhcs = module
 # Layer: services
 # Module: aisexec
 #
 # RHCS - Red Hat Cluster Suite
 #
 aisexec = module
 # Layer: services
 # Module: rgmanager
 #
 # rgmanager
 # 
 rgmanager = module
 # Layer: services
 # Module: rhgb
 #
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@ -1199,6 +1199,20 @@ rgmanager = module
 #
 rhcs = module
 # Layer: services
 # Module: aisexec
 #
 # RHCS - Red Hat Cluster Suite
 #
 aisexec = module
 # Layer: services
 # Module: rgmanager
 #
 # rgmanager
 # 
 rgmanager = module
 # Layer: services
 # Module: rhgb
 #
--- a/policy-F12.patch
+++ b/policy-F12.patch
@ -2593,8 +2593,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)?			gen_context(system_u:object_r:nsplugin_rw_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.32/policy/modules/apps/nsplugin.if
 --- nsaserefpolicy/policy/modules/apps/nsplugin.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.if	2009-09-23 10:34:03.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.if	2009-09-29 15:46:41.000000000 -0400
-@@ -0,0 +1,320 @@
+@@ -0,0 +1,322 @@
 +
 +## <summary>policy for nsplugin</summary>
 +
@ -2686,6 +2686,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	role $1 types nsplugin_config_t;
 +
 +	allow nsplugin_t $2:process signull;
 +	allow nsplugin_t $2:dbus send_msg;
 +	allow $2 nsplugin_t:dbus send_msg;
 +
 +	list_dirs_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
 +	read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
@ -3332,6 +3334,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +type openoffice_t;
 +type openoffice_exec_t;
 +application_domain(openoffice_t, openoffice_exec_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.6.32/policy/modules/apps/pulseaudio.if
 --- nsaserefpolicy/policy/modules/apps/pulseaudio.if	2009-08-31 13:30:04.000000000 -0400
 +++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.if	2009-09-29 15:46:25.000000000 -0400
@@ -40,7 +40,7 @@
 	userdom_manage_tmpfs_role($1, pulseaudio_t)
 	allow $2 pulseaudio_t:dbus send_msg;
 -	allow pulseaudio_t $2:dbus send_msg;
 +	allow pulseaudio_t $2:dbus { acquire_svc send_msg };
 ')
 ########################################
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te
 --- nsaserefpolicy/policy/modules/apps/pulseaudio.te	2009-08-31 13:30:04.000000000 -0400
 +++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te	2009-09-16 10:03:08.000000000 -0400
@ -20311,7 +20325,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2009-08-28 14:58:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.te	2009-09-21 08:22:39.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/services/xserver.te	2009-09-29 15:34:33.000000000 -0400
@@ -34,6 +34,13 @@
 ## <desc>
@ -20727,7 +20741,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	hostname_exec(xdm_t)
 ')
-@@ -542,6 +652,30 @@
+@@ -542,6 +652,34 @@
 ')
 optional_policy(`
@ -20739,6 +20753,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
 +optional_policy(`
 +	pcscd_stream_connect(xdm_t)
 +')
 +
 +optional_policy(`
 +	pulseaudio_exec(xdm_t)
 +	pulseaudio_dbus_chat(xdm_t)
 +')
@ -20758,7 +20776,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	seutil_sigchld_newrole(xdm_t)
 ')
-@@ -550,8 +684,9 @@
+@@ -550,8 +688,9 @@
 ')
 optional_policy(`
@ -20770,7 +20788,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	ifndef(`distro_redhat',`
 		allow xdm_t self:process { execheap execmem };
-@@ -560,7 +695,6 @@
+@@ -560,7 +699,6 @@
 	ifdef(`distro_rhel4',`
 		allow xdm_t self:process { execheap execmem };
 	')
@ -20778,7 +20796,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 	userhelper_dontaudit_search_config(xdm_t)
-@@ -571,6 +705,10 @@
+@@ -571,6 +709,10 @@
 ')
 optional_policy(`
@ -20789,7 +20807,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	xfs_stream_connect(xdm_t)
 ')
-@@ -587,10 +725,9 @@
+@@ -587,10 +729,9 @@
 # execheap needed until the X module loader is fixed.
 # NVIDIA Needs execstack
@ -20801,7 +20819,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow xserver_t self:fd use;
 allow xserver_t self:fifo_file rw_fifo_file_perms;
 allow xserver_t self:sock_file read_sock_file_perms;
-@@ -602,9 +739,12 @@
+@@ -602,9 +743,12 @@
 allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow xserver_t self:tcp_socket create_stream_socket_perms;
 allow xserver_t self:udp_socket create_socket_perms;
@ -20814,7 +20832,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
-@@ -616,13 +756,14 @@
+@@ -616,13 +760,14 @@
 type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t;
 allow xserver_t { rootwindow_t x_domain }:x_drawable send;
@ -20830,7 +20848,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -635,9 +776,19 @@
+@@ -635,9 +780,19 @@
 manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 files_search_var_lib(xserver_t)
@ -20850,7 +20868,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 kernel_read_system_state(xserver_t)
 kernel_read_device_sysctls(xserver_t)
-@@ -671,7 +822,6 @@
+@@ -671,7 +826,6 @@
 dev_rw_agp(xserver_t)
 dev_rw_framebuffer(xserver_t)
 dev_manage_dri_dev(xserver_t)
@ -20858,7 +20876,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 dev_create_generic_dirs(xserver_t)
 dev_setattr_generic_dirs(xserver_t)
 # raw memory access is needed if not using the frame buffer
-@@ -681,9 +831,12 @@
+@@ -681,9 +835,12 @@
 dev_rw_xserver_misc(xserver_t)
 # read events - the synaptics touchpad driver reads raw events
 dev_rw_input_dev(xserver_t)
@ -20872,7 +20890,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 files_read_etc_files(xserver_t)
 files_read_etc_runtime_files(xserver_t)
-@@ -698,8 +851,12 @@
+@@ -698,8 +855,12 @@
 fs_search_nfs(xserver_t)
 fs_search_auto_mountpoints(xserver_t)
 fs_search_ramfs(xserver_t)
@ -20885,7 +20903,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 selinux_validate_context(xserver_t)
 selinux_compute_access_vector(xserver_t)
-@@ -721,6 +878,7 @@
+@@ -721,6 +882,7 @@
 miscfiles_read_localization(xserver_t)
 miscfiles_read_fonts(xserver_t)
@ -20893,7 +20911,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 modutils_domtrans_insmod(xserver_t)
-@@ -743,7 +901,7 @@
+@@ -743,7 +905,7 @@
 ')
 ifdef(`enable_mls',`
@ -20902,7 +20920,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
 ')
-@@ -775,12 +933,20 @@
+@@ -775,12 +937,20 @@
 ')
 optional_policy(`
@ -20924,7 +20942,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	unconfined_domtrans(xserver_t)
 ')
-@@ -807,7 +973,7 @@
+@@ -807,7 +977,7 @@
 allow xserver_t xdm_var_lib_t:file { getattr read };
 dontaudit xserver_t xdm_var_lib_t:dir search;
@ -20933,7 +20951,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # Label pid and temporary files with derived types.
 manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -828,9 +994,14 @@
+@@ -828,9 +998,14 @@
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
 userdom_read_user_home_content_files(xserver_t)
@ -20948,7 +20966,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(xserver_t)
 	fs_manage_nfs_files(xserver_t)
-@@ -845,11 +1016,14 @@
+@@ -845,11 +1020,14 @@
 optional_policy(`
 	dbus_system_bus_client(xserver_t)
@ -20964,7 +20982,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -882,6 +1056,8 @@
+@@ -882,6 +1060,8 @@
 # X Server
 # can read server-owned resources
 allow x_domain xserver_t:x_resource read;
@ -20973,7 +20991,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # can mess with own clients
 allow x_domain self:x_client { manage destroy };
-@@ -906,6 +1082,8 @@
+@@ -906,6 +1086,8 @@
 # operations allowed on my windows
 allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@ -20982,7 +21000,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # X Colormaps
 # can use the default colormap
 allow x_domain rootwindow_t:x_colormap { read use add_color };
-@@ -973,17 +1151,49 @@
+@@ -973,17 +1155,49 @@
 allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
 allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;