- Add wm policy
- Make mls work in graphics mode
This commit is contained in:
parent
1b94a1375f
commit
6cf32a1e8b
@ -22565,7 +22565,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.3/policy/modules/services/xserver.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.3/policy/modules/services/xserver.te
|
||||||
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500
|
||||||
+++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-01-21 14:02:11.000000000 -0500
|
+++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-01-21 16:14:47.000000000 -0500
|
||||||
@@ -34,6 +34,13 @@
|
@@ -34,6 +34,13 @@
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
@ -23034,7 +23034,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
files_read_etc_files(xserver_t)
|
files_read_etc_files(xserver_t)
|
||||||
files_read_etc_runtime_files(xserver_t)
|
files_read_etc_runtime_files(xserver_t)
|
||||||
@@ -697,8 +817,12 @@
|
@@ -697,8 +817,13 @@
|
||||||
fs_search_nfs(xserver_t)
|
fs_search_nfs(xserver_t)
|
||||||
fs_search_auto_mountpoints(xserver_t)
|
fs_search_auto_mountpoints(xserver_t)
|
||||||
fs_search_ramfs(xserver_t)
|
fs_search_ramfs(xserver_t)
|
||||||
@ -23043,11 +23043,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
mls_xwin_read_to_clearance(xserver_t)
|
mls_xwin_read_to_clearance(xserver_t)
|
||||||
+mls_process_write_to_clearance(xserver_t)
|
+mls_process_write_to_clearance(xserver_t)
|
||||||
+mls_file_write_to_clearance(xserver_t)
|
+mls_file_read_to_clearance(xserver_t)
|
||||||
|
+mls_file_write_all_levels(xserver_t)
|
||||||
|
|
||||||
selinux_validate_context(xserver_t)
|
selinux_validate_context(xserver_t)
|
||||||
selinux_compute_access_vector(xserver_t)
|
selinux_compute_access_vector(xserver_t)
|
||||||
@@ -720,6 +844,7 @@
|
@@ -720,6 +845,7 @@
|
||||||
|
|
||||||
miscfiles_read_localization(xserver_t)
|
miscfiles_read_localization(xserver_t)
|
||||||
miscfiles_read_fonts(xserver_t)
|
miscfiles_read_fonts(xserver_t)
|
||||||
@ -23055,7 +23056,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
modutils_domtrans_insmod(xserver_t)
|
modutils_domtrans_insmod(xserver_t)
|
||||||
|
|
||||||
@@ -774,6 +899,10 @@
|
@@ -774,6 +900,10 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -23066,7 +23067,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
rhgb_getpgid(xserver_t)
|
rhgb_getpgid(xserver_t)
|
||||||
rhgb_signal(xserver_t)
|
rhgb_signal(xserver_t)
|
||||||
')
|
')
|
||||||
@@ -806,7 +935,7 @@
|
@@ -806,7 +936,7 @@
|
||||||
allow xserver_t xdm_var_lib_t:file { getattr read };
|
allow xserver_t xdm_var_lib_t:file { getattr read };
|
||||||
dontaudit xserver_t xdm_var_lib_t:dir search;
|
dontaudit xserver_t xdm_var_lib_t:dir search;
|
||||||
|
|
||||||
@ -23075,7 +23076,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
# Label pid and temporary files with derived types.
|
# Label pid and temporary files with derived types.
|
||||||
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||||
@@ -830,6 +959,10 @@
|
@@ -830,6 +960,10 @@
|
||||||
|
|
||||||
xserver_use_user_fonts(xserver_t)
|
xserver_use_user_fonts(xserver_t)
|
||||||
|
|
||||||
@ -23086,7 +23087,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
tunable_policy(`use_nfs_home_dirs',`
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
fs_manage_nfs_dirs(xserver_t)
|
fs_manage_nfs_dirs(xserver_t)
|
||||||
fs_manage_nfs_files(xserver_t)
|
fs_manage_nfs_files(xserver_t)
|
||||||
@@ -844,11 +977,14 @@
|
@@ -844,11 +978,14 @@
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
dbus_system_bus_client(xserver_t)
|
dbus_system_bus_client(xserver_t)
|
||||||
@ -23102,7 +23103,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -856,6 +992,11 @@
|
@@ -856,6 +993,11 @@
|
||||||
rhgb_rw_tmpfs_files(xserver_t)
|
rhgb_rw_tmpfs_files(xserver_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -23114,7 +23115,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Rules common to all X window domains
|
# Rules common to all X window domains
|
||||||
@@ -972,6 +1113,37 @@
|
@@ -972,6 +1114,37 @@
|
||||||
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
|
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
|
||||||
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
|
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
|
||||||
|
|
||||||
@ -23152,7 +23153,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
tunable_policy(`allow_polyinstantiation',`
|
tunable_policy(`allow_polyinstantiation',`
|
||||||
# xdm needs access for linking .X11-unix to poly /tmp
|
# xdm needs access for linking .X11-unix to poly /tmp
|
||||||
@@ -986,3 +1158,13 @@
|
@@ -986,3 +1159,13 @@
|
||||||
#
|
#
|
||||||
allow xdm_t user_home_type:file unlink;
|
allow xdm_t user_home_type:file unlink;
|
||||||
') dnl end TODO
|
') dnl end TODO
|
||||||
@ -23783,7 +23784,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
#
|
#
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.3/policy/modules/system/init.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.3/policy/modules/system/init.if
|
||||||
--- nsaserefpolicy/policy/modules/system/init.if 2009-01-05 15:39:43.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/init.if 2009-01-05 15:39:43.000000000 -0500
|
||||||
+++ serefpolicy-3.6.3/policy/modules/system/init.if 2009-01-20 14:42:59.000000000 -0500
|
+++ serefpolicy-3.6.3/policy/modules/system/init.if 2009-01-21 16:19:55.000000000 -0500
|
||||||
@@ -280,6 +280,27 @@
|
@@ -280,6 +280,27 @@
|
||||||
kernel_dontaudit_use_fds($1)
|
kernel_dontaudit_use_fds($1)
|
||||||
')
|
')
|
||||||
@ -23812,6 +23813,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@@ -546,7 +567,7 @@
|
||||||
|
|
||||||
|
# upstart uses a datagram socket instead of initctl pipe
|
||||||
|
allow $1 self:unix_dgram_socket create_socket_perms;
|
||||||
|
- allow $1 init_t:unix_dgram_socket sendto;
|
||||||
|
+ init_chat($1)
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
@@ -619,18 +640,19 @@
|
@@ -619,18 +640,19 @@
|
||||||
#
|
#
|
||||||
interface(`init_spec_domtrans_script',`
|
interface(`init_spec_domtrans_script',`
|
||||||
@ -27350,7 +27360,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
|
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.3/policy/modules/system/userdomain.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.3/policy/modules/system/userdomain.if
|
||||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
|
||||||
+++ serefpolicy-3.6.3/policy/modules/system/userdomain.if 2009-01-21 15:37:07.000000000 -0500
|
+++ serefpolicy-3.6.3/policy/modules/system/userdomain.if 2009-01-21 16:19:30.000000000 -0500
|
||||||
@@ -30,8 +30,9 @@
|
@@ -30,8 +30,9 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -20,7 +20,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.6.3
|
Version: 3.6.3
|
||||||
Release: 4%{?dist}
|
Release: 5%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -445,8 +445,9 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Wed Jan 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-4
|
* Wed Jan 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-5
|
||||||
- Add wm policy
|
- Add wm policy
|
||||||
|
- Make mls work in graphics mode
|
||||||
|
|
||||||
* Tue Jan 20 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-3
|
* Tue Jan 20 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-3
|
||||||
- Fixed for DeviceKit
|
- Fixed for DeviceKit
|
||||||
|
Loading…
Reference in New Issue
Block a user