- Additional perms for readahead

2009-04-24 04:09:22 +00:00 · 2009-04-24 04:09:22 +00:00 · 5ce1c49771
parent 5ba1bf287a
commit 5ce1c49771
2 changed files with 46 additions and 63 deletions
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@ -850,8 +850,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ifdef(`distro_suse', `
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.12/policy/modules/admin/rpm.if
 --- nsaserefpolicy/policy/modules/admin/rpm.if	2008-11-11 16:13:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/admin/rpm.if	2009-04-23 09:44:57.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/admin/rpm.if	2009-04-23 23:59:46.000000000 -0400
-@@ -146,6 +146,24 @@
+@@ -66,6 +66,11 @@
 	rpm_domtrans($1)
 	role $2 types rpm_t;
 	role $2 types rpm_script_t;
 +
 +	domain_system_change_exemption($1)
 +	role_transition $2 rpm_exec_t system_r;
 +	allow $2 system_r;
 +
 	seutil_run_loadpolicy(rpm_script_t, $2)
 	seutil_run_semanage(rpm_script_t, $2)
 	seutil_run_setfiles(rpm_script_t, $2)
@@ -146,6 +151,24 @@
 ########################################
 ## <summary>
@ -876,7 +888,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Send and receive messages from
 ##	rpm over dbus.
 ## </summary>
-@@ -167,6 +185,48 @@
+@@ -167,6 +190,48 @@
 ########################################
 ## <summary>
@ -925,7 +937,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Create, read, write, and delete the RPM log.
 ## </summary>
 ## <param name="domain">
-@@ -186,6 +246,24 @@
+@@ -186,6 +251,24 @@
 ########################################
 ## <summary>
@ -950,7 +962,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Inherit and use file descriptors from RPM scripts.
 ## </summary>
 ## <param name="domain">
-@@ -204,6 +282,24 @@
+@@ -204,6 +287,24 @@
 ########################################
 ## <summary>
@ -975,7 +987,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Create, read, write, and delete RPM
 ##	script temporary files.
 ## </summary>
-@@ -219,7 +315,29 @@
+@@ -219,7 +320,29 @@
 	')
 	files_search_tmp($1)
@ -1005,7 +1017,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -245,6 +363,24 @@
+@@ -245,6 +368,24 @@
 ########################################
 ## <summary>
@ -1030,7 +1042,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Create, read, write, and delete the RPM package database.
 ## </summary>
 ## <param name="domain">
-@@ -283,3 +419,175 @@
+@@ -283,3 +424,148 @@
 	dontaudit $1 rpm_var_lib_t:file manage_file_perms;
 	dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
 ')
@ -1144,33 +1156,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +########################################
 +## <summary>
 +##	Transition to system_r when execute an rpm script
 +## </summary>
 +## <desc>
 +##      <p>
 +##	Execute rpm script in a specified role
 +##      </p>
 +##      <p>
 +##      No interprocess communication (signals, pipes,
 +##      etc.) is provided by this interface since
 +##      the domains are not owned by this module.
 +##      </p>
 +## </desc>
 +## <param name="source_role">
 +##	<summary>
 +##	Role to transition from.
 +##	</summary>
 +## </param>
 +interface(`rpm_role_transition',`
 +	gen_require(`
 +		type rpm_exec_t;
 +	')
 +
 +	role_transition $1 rpm_exec_t system_r;
 +')
 +
 +########################################
 +## <summary>
 +##	Do not audit attempts to write, and delete the 
 +##	RPM var run files
 +## </summary>
@ -6393,7 +6378,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	requiring the caller to use setexeccon().
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.12/policy/modules/roles/sysadm.te
 --- nsaserefpolicy/policy/modules/roles/sysadm.te	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/roles/sysadm.te	2009-04-23 09:44:57.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/roles/sysadm.te	2009-04-24 00:02:59.000000000 -0400
@@ -15,7 +15,7 @@
 role sysadm_r;
@ -6557,7 +6542,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	quota_run(sysadm_t, sysadm_r)
 ')
-@@ -320,19 +258,12 @@
+@@ -320,10 +258,6 @@
 ')
 optional_policy(`
@ -6568,17 +6553,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	rpc_domtrans_nfsd(sysadm_t)
 ')
- optional_policy(`
+@@ -332,10 +266,6 @@
 	rpm_run(sysadm_t, sysadm_r)
 -')
 -
 -optional_policy(`
 -	rssh_role(sysadm_r, sysadm_t)
 +	rpm_role_transition(sysadm_r)
 ')
 optional_policy(`
-@@ -345,10 +276,6 @@
+-	rssh_role(sysadm_r, sysadm_t)
 -')
 -
 -optional_policy(`
 	rsync_exec(sysadm_t)
 ')
@@ -345,10 +275,6 @@
 ')
 optional_policy(`
@ -6589,7 +6575,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	secadm_role_change(sysadm_r)
 ')
-@@ -358,35 +285,15 @@
+@@ -358,35 +284,15 @@
 ')
 optional_policy(`
@ -6625,7 +6611,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	tripwire_run_siggen(sysadm_t, sysadm_r)
 	tripwire_run_tripwire(sysadm_t, sysadm_r)
 	tripwire_run_twadmin(sysadm_t, sysadm_r)
-@@ -394,18 +301,10 @@
+@@ -394,18 +300,10 @@
 ')
 optional_policy(`
@ -6644,7 +6630,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	unconfined_domtrans(sysadm_t)
 ')
-@@ -418,20 +317,12 @@
+@@ -418,20 +316,12 @@
 ')
 optional_policy(`
@ -6665,7 +6651,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	vpn_run(sysadm_t, sysadm_r)
 ')
-@@ -440,13 +331,10 @@
+@@ -440,13 +330,7 @@
 ')
 optional_policy(`
@ -6680,10 +6666,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	yam_run(sysadm_t, sysadm_r)
 ')
 +
 +domain_user_exemption_target(sysadm_t)
 +allow sysadm_r system_r;
 +init_script_role_transition(sysadm_r)
 +role system_r types sysadm_t;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.12/policy/modules/roles/unconfineduser.fc
 --- nsaserefpolicy/policy/modules/roles/unconfineduser.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.fc	2009-04-23 09:44:57.000000000 -0400
@ -7364,8 +7347,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te
 --- nsaserefpolicy/policy/modules/roles/unconfineduser.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te	2009-04-23 09:44:57.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te	2009-04-24 00:00:31.000000000 -0400
-@@ -0,0 +1,403 @@
+@@ -0,0 +1,400 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@ -7638,7 +7621,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	rpm_run(unconfined_t, unconfined_r)
 +	# Allow SELinux aware applications to request rpm_script execution
 +	rpm_transition_script(unconfined_t)
 +	rpm_role_transition(unconfined_r)
 +')
 +
 +optional_policy(`
@ -7767,8 +7749,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
 +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 +
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.12/policy/modules/roles/unprivuser.te
 --- nsaserefpolicy/policy/modules/roles/unprivuser.te	2008-11-11 16:13:47.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/roles/unprivuser.te	2009-04-23 09:44:57.000000000 -0400
@ -27924,7 +27904,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.12/policy/modules/system/selinuxutil.te
 --- nsaserefpolicy/policy/modules/system/selinuxutil.te	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/selinuxutil.te	2009-04-23 09:44:57.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/selinuxutil.te	2009-04-23 23:08:07.000000000 -0400
@@ -23,6 +23,9 @@
 type selinux_config_t;
 files_type(selinux_config_t)
@ -29523,7 +29503,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if	2009-04-23 09:44:57.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if	2009-04-23 23:55:27.000000000 -0400
@@ -30,8 +30,9 @@
 	')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.12
-Release: 14%{?dist}
+Release: 15%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -213,8 +213,8 @@ make clean
 %if %{BUILD_TARGETED}
 # Build targeted policy
 # Commented out because only targeted ref policy currently builds
-%setupCmds targeted mcs n y allow
+%setupCmds targeted mcs y y allow
-%installCmds targeted mcs n y allow
+%installCmds targeted mcs y y allow
 %endif
 %if %{BUILD_MINIMUM}
@ -237,7 +237,7 @@ make clean
 %installCmds olpc mcs n y allow
 %endif
-make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs
+make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=y MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs
 mkdir %{buildroot}%{_usr}/share/selinux/devel/
 mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include
 install -m 755 $RPM_SOURCE_DIR/policygentool %{buildroot}%{_usr}/share/selinux/devel/
@ -446,6 +446,9 @@ exit 0
 %endif
 %changelog
 * Thu Apr 23 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-15
 - Additional perms for readahead
 * Thu Apr 23 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-14
 - Allow pulseaudio to acquire_svc on session bus
 - Fix readahead labeling