- Add wm policy

- Make mls work in graphics mode
2009-01-21 22:49:23 +00:00 · 2009-01-21 22:49:23 +00:00 · 6f8856e9d4
parent 6cf32a1e8b
commit 6f8856e9d4
2 changed files with 91 additions and 40 deletions
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@ -5130,7 +5130,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /var/lib/nfs/rpc_pipefs(/.*)?	<<none>>
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.3/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/kernel/files.if	2009-01-19 13:10:02.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/kernel/files.if	2009-01-21 17:33:03.000000000 -0500
@@ -110,6 +110,11 @@
 ## </param>
 #
@ -5340,7 +5340,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 ')
-@@ -4921,3 +5036,71 @@
+@@ -4921,3 +5036,95 @@
 	typeattribute $1 files_unconfined_type;
 ')
@ -5412,6 +5412,30 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	manage_lnk_files_pattern($1,var_run_t,var_run_t)
 +')
 +
 +########################################
 +## <summary>
 +##	manage generic symbolic links
 +##	in the /var/run directory.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`files_boot',`
 +	gen_require(`
 +		type root_t;
 +	')
 +
 +	allow $1 root_t:blk_file manage_blk_file_perms;
 +	allow $1 root_t:chr_file manage_chr_file_perms;
 +	manage_dirs_pattern($1, root_t, root_t)
 +	manage_files_pattern($1, root_t, root_t)
 +	manage_lnk_files_pattern($1, root_t, root_t)
 +	can_exec(kernel_t, root_t)
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.6.3/policy/modules/kernel/files.te
 --- nsaserefpolicy/policy/modules/kernel/files.te	2009-01-05 15:39:38.000000000 -0500
 +++ serefpolicy-3.6.3/policy/modules/kernel/files.te	2009-01-19 13:10:02.000000000 -0500
@ -5890,7 +5914,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 #
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.3/policy/modules/kernel/kernel.if
 --- nsaserefpolicy/policy/modules/kernel/kernel.if	2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/kernel/kernel.if	2009-01-20 16:17:37.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/kernel/kernel.if	2009-01-21 17:29:54.000000000 -0500
@@ -1197,6 +1197,7 @@
 	')
@ -5997,7 +6021,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.3/policy/modules/kernel/kernel.te
 --- nsaserefpolicy/policy/modules/kernel/kernel.te	2009-01-19 11:03:28.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/kernel/kernel.te	2009-01-20 17:15:33.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/kernel/kernel.te	2009-01-21 17:46:13.000000000 -0500
@@ -63,6 +63,15 @@
 genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
@ -6061,11 +6085,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 mcs_process_set_categories(kernel_t)
-@@ -267,12 +287,17 @@
+@@ -267,12 +287,18 @@
 mls_process_write_down(kernel_t)
 mls_file_write_all_levels(kernel_t)
 mls_file_read_all_levels(kernel_t) 
 +mls_socket_write_all_levels(kernel_t) 
 +mls_fd_share_all_levels(kernel_t) 
 +
 +logging_manage_generic_logs(kernel_t)
@ -6079,7 +6104,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 tunable_policy(`read_default_t',`
 	files_list_default(kernel_t)
 	files_read_default_files(kernel_t)
-@@ -357,6 +382,10 @@
+@@ -357,6 +383,10 @@
 	unconfined_domain(kernel_t)
 ')
@ -6090,6 +6115,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # Unlabeled process local policy
@@ -386,3 +416,5 @@
 allow kern_unconfined unlabeled_t:association *;
 allow kern_unconfined unlabeled_t:packet *;
 allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
 +
 +files_boot(kernel_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.6.3/policy/modules/kernel/selinux.if
 --- nsaserefpolicy/policy/modules/kernel/selinux.if	2009-01-19 11:03:28.000000000 -0500
 +++ serefpolicy-3.6.3/policy/modules/kernel/selinux.if	2009-01-19 13:32:33.000000000 -0500
@ -6197,8 +6228,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditadm.te serefpolicy-3.6.3/policy/modules/roles/auditadm.te
 --- nsaserefpolicy/policy/modules/roles/auditadm.te	2008-11-11 16:13:47.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/roles/auditadm.te	2009-01-19 13:10:02.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/roles/auditadm.te	2009-01-21 17:30:16.000000000 -0500
-@@ -32,158 +32,18 @@
+@@ -17,6 +17,8 @@
 allow auditadm_t self:capability { dac_read_search dac_override };
 +kernel_read_ring_buffer(auditadm_t)
 +
 corecmd_exec_shell(auditadm_t)
 domain_kill_all_domains(auditadm_t)
@@ -32,158 +34,18 @@
 seutil_read_bin_policy(auditadm_t)
 optional_policy(`
@ -21808,13 +21848,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.3/policy/modules/services/virt.te
 --- nsaserefpolicy/policy/modules/services/virt.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/virt.te	2009-01-21 13:00:55.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/virt.te	2009-01-21 16:53:49.000000000 -0500
@@ -53,7 +53,7 @@
 # virtd local policy
 #
 -allow virtd_t self:capability { dac_override kill net_admin setgid sys_nice sys_ptrace };
-+allow virtd_t self:capability { dac_override kill net_admin  net_raw setuid setgid sys_nice sys_ptrace };
+allow virtd_t self:capability { dac_override kill net_admin net_raw setuid setgid sys_admin sys_nice sys_ptrace };
 allow virtd_t self:process { getsched sigkill signal execmem };
 allow virtd_t self:fifo_file rw_file_perms;
 allow virtd_t self:unix_stream_socket create_stream_socket_perms;
@ -23974,7 +24014,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.3/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/init.te	2009-01-20 17:11:43.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/system/init.te	2009-01-21 17:45:29.000000000 -0500
@@ -17,6 +17,20 @@
 ## </desc>
 gen_tunable(init_upstart,false)
@ -24077,11 +24117,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 can_exec(initrc_t,initrc_tmp_t)
 allow initrc_t initrc_tmp_t:file manage_file_perms;
-@@ -249,15 +278,18 @@
+@@ -249,15 +278,19 @@
 kernel_rw_all_sysctls(initrc_t)
 # for lsof which is used by alsa shutdown:
 kernel_dontaudit_getattr_message_if(initrc_t)
 +kernel_stream_connect(initrc_t)
 +files_read_kernel_modules(initrc_t)
 files_read_kernel_symbol_table(initrc_t)
 +files_exec_etc_files(initrc_t)
@ -24100,7 +24141,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 corenet_tcp_sendrecv_all_ports(initrc_t)
 corenet_udp_sendrecv_all_ports(initrc_t)
 corenet_tcp_connect_all_ports(initrc_t)
-@@ -274,7 +306,7 @@
+@@ -274,7 +307,7 @@
 dev_read_sound_mixer(initrc_t)
 dev_write_sound_mixer(initrc_t)
 dev_setattr_all_chr_files(initrc_t)
@ -24109,7 +24150,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 dev_delete_lvm_control_dev(initrc_t)
 dev_manage_generic_symlinks(initrc_t)
 dev_manage_generic_files(initrc_t)
-@@ -328,7 +360,7 @@
+@@ -328,7 +361,7 @@
 domain_sigchld_all_domains(initrc_t)
 domain_read_all_domains_state(initrc_t)
 domain_getattr_all_domains(initrc_t)
@ -24118,7 +24159,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 domain_getsession_all_domains(initrc_t)
 domain_use_interactive_fds(initrc_t)
 # for lsof which is used by alsa shutdown:
-@@ -367,6 +399,7 @@
+@@ -367,6 +400,7 @@
 libs_rw_ld_so_cache(initrc_t)
 libs_exec_lib_files(initrc_t)
@ -24126,7 +24167,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 logging_send_syslog_msg(initrc_t)
 logging_manage_generic_logs(initrc_t)
 logging_read_all_logs(initrc_t)
-@@ -498,6 +531,7 @@
+@@ -451,7 +485,7 @@
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
 -	kernel_dontaudit_use_fds(initrc_t)
 +	kernel_use_fds(initrc_t)
 	files_dontaudit_read_root_files(initrc_t)
 	selinux_set_enforce_mode(initrc_t)
@@ -498,6 +532,7 @@
 	optional_policy(`
 		#for /etc/rc.d/init.d/nfs to create /etc/exports
 		rpc_write_exports(initrc_t)
@ -24134,7 +24184,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 	optional_policy(`
-@@ -516,6 +550,31 @@
+@@ -516,6 +551,31 @@
 	')
 ')
@ -24166,7 +24216,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
-@@ -570,6 +629,10 @@
+@@ -570,6 +630,10 @@
 	dbus_read_config(initrc_t)
 	optional_policy(`
@ -24177,7 +24227,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 		networkmanager_dbus_chat(initrc_t)
 	')
 ')
-@@ -655,12 +718,6 @@
+@@ -655,12 +719,6 @@
 	mta_read_config(initrc_t)
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
@ -24190,7 +24240,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 	ifdef(`distro_redhat',`
-@@ -721,6 +778,9 @@
+@@ -721,6 +779,9 @@
 	# why is this needed:
 	rpm_manage_db(initrc_t)
@ -24200,7 +24250,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -733,10 +793,12 @@
+@@ -733,10 +794,12 @@
 	squid_manage_logs(initrc_t)
 ')
@ -24213,7 +24263,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -754,6 +816,11 @@
+@@ -754,6 +817,11 @@
 	uml_setattr_util_sockets(initrc_t)
 ')
@ -24225,7 +24275,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 	unconfined_domain(initrc_t)
-@@ -768,6 +835,10 @@
+@@ -768,6 +836,10 @@
 ')
 optional_policy(`
@ -24236,7 +24286,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	vmware_read_system_config(initrc_t)
 	vmware_append_system_config(initrc_t)
 ')
-@@ -790,3 +861,11 @@
+@@ -790,3 +862,11 @@
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
@ -25246,7 +25296,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.3/policy/modules/system/mount.te
 --- nsaserefpolicy/policy/modules/system/mount.te	2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/mount.te	2009-01-19 13:10:02.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/system/mount.te	2009-01-21 17:47:52.000000000 -0500
@@ -18,17 +18,18 @@
 init_system_domain(mount_t,mount_exec_t)
 role system_r types mount_t;
@ -25279,7 +25329,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow mount_t mount_loopback_t:file read_file_perms;
-@@ -47,12 +49,18 @@
+@@ -47,12 +49,19 @@
 files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir })
@ -25291,6 +25341,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 kernel_dontaudit_getattr_core_if(mount_t)
 +kernel_search_debugfs(mount_t)
 +kernel_setsched(mount_t)
 +kernel_use_fds(mount_t)
 dev_getattr_all_blk_files(mount_t)
 dev_list_all_dev_nodes(mount_t)
@ -25298,7 +25349,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 dev_rw_lvm_control(mount_t)
 dev_dontaudit_getattr_all_chr_files(mount_t)
 dev_dontaudit_getattr_memory_dev(mount_t)
-@@ -62,16 +70,19 @@
+@@ -62,16 +71,19 @@
 storage_raw_write_fixed_disk(mount_t)
 storage_raw_read_removable_device(mount_t)
 storage_raw_write_removable_device(mount_t)
@ -25321,7 +25372,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 term_use_all_terms(mount_t)
-@@ -79,6 +90,7 @@
+@@ -79,6 +91,7 @@
 corecmd_exec_bin(mount_t)
 domain_use_interactive_fds(mount_t)
@ -25329,7 +25380,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 files_search_all(mount_t)
 files_read_etc_files(mount_t)
-@@ -87,7 +99,7 @@
+@@ -87,7 +100,7 @@
 files_mounton_all_mountpoints(mount_t)
 files_unmount_rootfs(mount_t)
 # These rules need to be generalized.  Only admin, initrc should have it:
@ -25338,7 +25389,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 files_mount_all_file_type_fs(mount_t)
 files_unmount_all_file_type_fs(mount_t)
 # for when /etc/mtab loses its type
-@@ -100,6 +112,8 @@
+@@ -100,6 +113,8 @@
 init_use_fds(mount_t)
 init_use_script_ptys(mount_t)
 init_dontaudit_getattr_initctl(mount_t)
@ -25347,7 +25398,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 auth_use_nsswitch(mount_t)
-@@ -116,6 +130,7 @@
+@@ -116,6 +131,7 @@
 seutil_read_config(mount_t)
 userdom_use_all_users_fds(mount_t)
@ -25355,7 +25406,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ifdef(`distro_redhat',`
 	optional_policy(`
-@@ -133,7 +148,7 @@
+@@ -133,7 +149,7 @@
 tunable_policy(`allow_mount_anyfile',`
 	auth_read_all_dirs_except_shadow(mount_t)
@ -25364,7 +25415,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	files_mounton_non_security(mount_t)
 ')
-@@ -141,16 +156,16 @@
+@@ -141,16 +157,16 @@
 	# for nfs
 	corenet_all_recvfrom_unlabeled(mount_t)
 	corenet_all_recvfrom_netlabel(mount_t)
@ -25389,7 +25440,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	corenet_tcp_bind_generic_port(mount_t)
 	corenet_udp_bind_generic_port(mount_t)
 	corenet_tcp_bind_reserved_port(mount_t)
-@@ -164,6 +179,8 @@
+@@ -164,6 +180,8 @@
 	fs_search_rpc(mount_t)
 	rpc_stub(mount_t)
@ -25398,7 +25449,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -171,6 +188,15 @@
+@@ -171,6 +189,15 @@
 ')
 optional_policy(`
@ -25414,7 +25465,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	ifdef(`hide_broken_symptoms',`
 		# for a bug in the X server
 		rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -178,6 +204,11 @@
+@@ -178,6 +205,11 @@
 	')
 ')
@ -25426,7 +25477,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # for kernel package installation
 optional_policy(`
 	rpm_rw_pipes(mount_t)
-@@ -185,6 +216,7 @@
+@@ -185,6 +217,7 @@
 optional_policy(`
 	samba_domtrans_smbmount(mount_t)
@ -25434,7 +25485,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -195,4 +227,26 @@
+@@ -195,4 +228,26 @@
 optional_policy(`
 	files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
 	unconfined_domain(unconfined_mount_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.3
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -445,7 +445,7 @@ exit 0
 %endif
 %changelog
-* Wed Jan 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-5
+* Wed Jan 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-6
 - Add wm policy
 - Make mls work in graphics mode