- Fixes for nsplugin

2008-02-03 13:39:47 +00:00 · 2008-02-03 13:39:47 +00:00 · 60c693e546
parent 11ac4bcde1
commit 60c693e546
2 changed files with 86 additions and 13 deletions
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@ -4122,8 +4122,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.2.6/policy/modules/apps/nsplugin.te
 --- nsaserefpolicy/policy/modules/apps/nsplugin.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/apps/nsplugin.te	2008-02-01 22:19:57.000000000 -0500
+++ serefpolicy-3.2.6/policy/modules/apps/nsplugin.te	2008-02-03 08:32:51.000000000 -0500
-@@ -0,0 +1,135 @@
+@@ -0,0 +1,136 @@
 +policy_module(nsplugin,1.0.0)
 +
 +########################################
@ -4156,7 +4156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +# nsplugin local policy
 +#
 +allow nsplugin_t self:fifo_file rw_file_perms;
-+allow nsplugin_t self:process getsched;
+allow nsplugin_t self:process { ptrace getsched };
 +
 +manage_dirs_pattern(nsplugin_t, user_nsplugin_home_t, user_nsplugin_home_t)
 +manage_files_pattern(nsplugin_t, user_nsplugin_home_t, user_nsplugin_home_t)
@ -4169,6 +4169,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +corenet_all_recvfrom_unlabeled(nsplugin_t)
 +corenet_all_recvfrom_netlabel(nsplugin_t)
 +corenet_tcp_connect_flash_port(nsplugin_t)
 +corenet_tcp_connect_http_port(nsplugin_t)
 +corenet_tcp_sendrecv_generic_if(nsplugin_t)
 +corenet_tcp_sendrecv_all_nodes(nsplugin_t)
 +
@ -5559,7 +5560,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 # etc_runtime_t is the type of various
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.2.6/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2007-10-24 15:00:24.000000000 -0400
-+++ serefpolicy-3.2.6/policy/modules/kernel/filesystem.if	2008-02-01 16:01:42.000000000 -0500
+++ serefpolicy-3.2.6/policy/modules/kernel/filesystem.if	2008-02-02 17:18:44.000000000 -0500
@@ -310,6 +310,25 @@
 ########################################
@ -5621,6 +5622,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
 ')
 ########################################
@@ -3039,6 +3077,25 @@
 ########################################
 ## <summary>
 +##	Read and write block nodes on removable filesystems.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`fs_rw_removable_blk_files',`
 +	gen_require(`
 +		type removable_t;
 +	')
 +
 +	allow $1 removable_t:dir list_dir_perms;
 +	rw_blk_files_pattern($1,removable_t,removable_t)
 +')
 +
 +########################################
 +## <summary>
 ##	Relabel block nodes on tmpfs filesystems.
 ## </summary>
 ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.2.6/policy/modules/kernel/filesystem.te
 --- nsaserefpolicy/policy/modules/kernel/filesystem.te	2007-12-19 05:32:07.000000000 -0500
 +++ serefpolicy-3.2.6/policy/modules/kernel/filesystem.te	2008-02-01 16:01:42.000000000 -0500
@ -23494,8 +23521,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.te serefpolicy-3.2.6/policy/modules/system/qemu.te
 --- nsaserefpolicy/policy/modules/system/qemu.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/system/qemu.te	2008-02-02 10:40:41.000000000 -0500
+++ serefpolicy-3.2.6/policy/modules/system/qemu.te	2008-02-02 17:19:03.000000000 -0500
-@@ -0,0 +1,56 @@
+@@ -0,0 +1,58 @@
 +policy_module(qemu,1.0.0)
 +
 +########################################
@ -23533,6 +23560,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.t
 +corenet_rw_tun_tap_dev(qemu_t)
 +
 +virt_manage_image(qemu_t)
 +virt_read_config(qemu_t)
 +
 +dev_rw_kvm(qemu_t)
 +
@ -23542,6 +23570,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.t
 +files_search_all(qemu_t)
 +
 +fs_rw_anon_inodefs_files(qemu_t)
 +fs_rw_removable_blk_files(qemu_t)
 +
 +term_use_ptmx(qemu_t)
 +term_getattr_pty_fs(qemu_t)
@ -27805,8 +27834,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.fc serefpolicy-3.2.6/policy/modules/system/virt.fc
 --- nsaserefpolicy/policy/modules/system/virt.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/system/virt.fc	2008-02-02 01:21:35.000000000 -0500
+++ serefpolicy-3.2.6/policy/modules/system/virt.fc	2008-02-02 17:13:58.000000000 -0500
-@@ -0,0 +1,8 @@
+@@ -0,0 +1,13 @@
 +
 +/usr/sbin/libvirtd	--	gen_context(system_u:object_r:virtd_exec_t,s0)
 +
@ -27815,10 +27844,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.f
 +/var/run/libvirt(/.*)?		gen_context(system_u:object_r:virt_var_run_t,s0)
 +/var/lib/libvirt(/.*)?		gen_context(system_u:object_r:virt_var_lib_t,s0)
 +/var/lib/libvirt/images(/.*)? 	gen_context(system_u:object_r:virt_image_t,s0)
 +
 +/etc/libvirt		-d	gen_context(system_u:object_r:virt_etc_t,s0)
 +/etc/libvirt/[^/]*	--	gen_context(system_u:object_r:virt_etc_t,s0)
 +/etc/libvirt/[^/]*	-d	gen_context(system_u:object_r:virt_etc_rw_t,s0)
 +/etc/libvirt/.*/.*		gen_context(system_u:object_r:virt_etc_rw_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.if serefpolicy-3.2.6/policy/modules/system/virt.if
 --- nsaserefpolicy/policy/modules/system/virt.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/system/virt.if	2008-02-01 23:48:44.000000000 -0500
+++ serefpolicy-3.2.6/policy/modules/system/virt.if	2008-02-02 17:16:14.000000000 -0500
-@@ -0,0 +1,303 @@
+@@ -0,0 +1,324 @@
 +
 +## <summary>policy for virt</summary>
 +
@ -27881,6 +27915,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.i
 +
 +########################################
 +## <summary>
 +##	Read virt config files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`virt_read_config',`
 +	gen_require(`
 +		type virt_etc_t;
 +		type virt_etc_rw_t;
 +	')
 +
 +	files_search_etc($1)
 +	read_files_pattern($1, virt_etc_t, virt_etc_t)
 +	read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Manage virt var_run files.
 +## </summary>
 +## <param name="domain">
@ -28124,8 +28179,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.i
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.2.6/policy/modules/system/virt.te
 --- nsaserefpolicy/policy/modules/system/virt.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/system/virt.te	2008-02-02 10:41:16.000000000 -0500
+++ serefpolicy-3.2.6/policy/modules/system/virt.te	2008-02-02 17:10:42.000000000 -0500
-@@ -0,0 +1,123 @@
+@@ -0,0 +1,135 @@
 +
 +policy_module(virt,1.0.0)
 +
@ -28162,6 +28217,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
 +type virt_var_lib_t;
 +files_type(virt_var_lib_t)
 +
 +type virt_etc_t;
 +files_type(virt_etc_t)
 +
 +type virt_etc_rw_t;
 +files_type(virt_etc_rw_t)
 +
 +type virt_log_t;
 +logging_log_file(virt_log_t)
 +
@ -28194,6 +28255,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
 +manage_files_pattern(virtd_t, virt_log_t,  virt_log_t)
 +logging_log_filetrans(virtd_t, virt_log_t, { file dir } )
 +
 +read_files_pattern(virtd_t, virt_etc_t,  virt_etc_t)
 +
 +manage_dirs_pattern(virtd_t, virt_etc_rw_t,  virt_etc_rw_t)
 +manage_files_pattern(virtd_t, virt_etc_rw_t,  virt_etc_rw_t)
 +files_trans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
 +
 +corenet_all_recvfrom_unlabeled(virtd_t)
 +corenet_all_recvfrom_netlabel(virtd_t)
 +corenet_tcp_sendrecv_all_if(virtd_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.2.6
-Release: 2%{?dist}
+Release: 4%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -387,6 +387,12 @@ exit 0
 %endif
 %changelog
 * Sun Feb 3 2008 Dan Walsh <dwalsh@redhat.com> 3.2.6-4
 - Fixes for nsplugin
 * Sat Feb 2 2008 Dan Walsh <dwalsh@redhat.com> 3.2.6-3
 - More fixes for qemu
 * Sat Feb 2 2008 Dan Walsh <dwalsh@redhat.com> 3.2.6-2
 - Additional ports for vnc and allow qemu and libvirt to search all directories