- More fixes for polkit

2008-02-12 18:34:03 +00:00 · 2008-02-12 18:34:03 +00:00 · 71921f4c58
commit 71921f4c58
parent e359546c5a
1 changed files with 44 additions and 33 deletions
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@ -4775,7 +4775,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.2.7/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2007-12-12 11:35:27.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/kernel/corecommands.fc	2008-02-11 14:27:33.000000000 -0500
+++ serefpolicy-3.2.7/policy/modules/kernel/corecommands.fc	2008-02-12 12:56:07.000000000 -0500
@@ -7,11 +7,11 @@
 /bin/d?ash			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/bash			--	gen_context(system_u:object_r:shell_exec_t,s0)
@ -4820,17 +4820,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 #
 # /usr
 #
-@@ -147,7 +157,8 @@
- /usr/lib(64)?/cups/backend(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
- /usr/lib(64)?/cups/cgi-bin/.*	--	gen_context(system_u:object_r:bin_t,s0)
- /usr/lib(64)?/cups/daemon(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
+@@ -144,10 +154,7 @@
+ /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/apt/methods.+	--	gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/courier(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/cups/backend(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/cups/cgi-bin/.*	--	gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/cups/daemon(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
 -/usr/lib(64)?/cups/filter(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib(64)?/cups/filter(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib(64)?/cups/drivers(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/cups(/.*)? 		gen_context(system_u:object_r:bin_t,s0)
 
 /usr/lib(64)?/cyrus-imapd/.*	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/dpkg/.+		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -186,7 +197,10 @@
+@@ -186,7 +193,10 @@
 /usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
 /usr/local/Printer/[^/]*/lpd(/.*)?     	gen_context(system_u:object_r:bin_t,s0)
 
@ -4841,7 +4843,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 
 /usr/share/apr-0/build/[^/]+\.sh --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/apr-0/build/libtool --	gen_context(system_u:object_r:bin_t,s0)
-@@ -284,3 +298,9 @@
+@@ -284,3 +294,9 @@
 ifdef(`distro_suse',`
 /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
 ')
@ -5484,7 +5486,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 type lvm_control_t;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.2.7/policy/modules/kernel/domain.te
 --- nsaserefpolicy/policy/modules/kernel/domain.te	2007-12-19 05:32:07.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/kernel/domain.te	2008-02-11 16:43:14.000000000 -0500
+++ serefpolicy-3.2.7/policy/modules/kernel/domain.te	2008-02-12 13:19:51.000000000 -0500
@@ -5,6 +5,13 @@
 #
 # Declarations
@ -5647,7 +5649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 # etc_runtime_t is the type of various
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.2.7/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2007-10-24 15:00:24.000000000 -0400
-+++ serefpolicy-3.2.7/policy/modules/kernel/filesystem.if	2008-02-12 09:41:43.000000000 -0500
+++ serefpolicy-3.2.7/policy/modules/kernel/filesystem.if	2008-02-12 13:01:12.000000000 -0500
@@ -310,6 +310,25 @@
 
 ########################################
@ -6058,7 +6060,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag
 ##	SELinux protections for filesystem objects, and
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.2.7/policy/modules/kernel/terminal.if
 --- nsaserefpolicy/policy/modules/kernel/terminal.if	2007-09-12 10:34:17.000000000 -0400
-+++ serefpolicy-3.2.7/policy/modules/kernel/terminal.if	2008-02-06 11:02:29.000000000 -0500
+++ serefpolicy-3.2.7/policy/modules/kernel/terminal.if	2008-02-12 13:00:27.000000000 -0500
@@ -525,11 +525,13 @@
 interface(`term_use_generic_ptys',`
 	gen_require(`
@ -21847,7 +21849,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.2.7/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/services/xserver.te	2008-02-12 12:43:50.000000000 -0500
+++ serefpolicy-3.2.7/policy/modules/services/xserver.te	2008-02-12 13:25:46.000000000 -0500
@@ -16,6 +16,13 @@
 
 ## <desc>
@ -22052,7 +22054,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
 
-@@ -304,7 +363,27 @@
+@@ -304,7 +363,11 @@
 ')
 
 optional_policy(`
@ -22062,8 +22064,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +
 +optional_policy(`
 +	consolekit_read_log(xdm_t)
-+
-+optional_policy(`
+ ')
+ 
+ optional_policy(`
+@@ -312,6 +375,23 @@
+ ')
+ 
+ optional_policy(`
 +	dbus_per_role_template(xdm, xdm_t, system_r)
 +	dbus_system_bus_client_template(xdm, xdm_t)
 +
@ -22078,10 +22085,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +	optional_policy(`
 +		networkmanager_dbus_chat(xdm_t)
 +	')
- ')
- 
- optional_policy(`
-@@ -322,6 +401,10 @@
+')
+
+optional_policy(`
+ 	# Talk to the console mouse server.
+ 	gpm_stream_connect(xdm_t)
+ 	gpm_setattr_gpmctl(xdm_t)
+@@ -322,6 +402,10 @@
 ')
 
 optional_policy(`
@ -22092,7 +22102,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	loadkeys_exec(xdm_t)
 ')
 
-@@ -335,6 +418,11 @@
+@@ -335,6 +419,11 @@
 ')
 
 optional_policy(`
@ -22104,7 +22114,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	seutil_sigchld_newrole(xdm_t)
 ')
 
-@@ -343,8 +431,8 @@
+@@ -343,8 +432,8 @@
 ')
 
 optional_policy(`
@ -22114,7 +22124,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 	ifndef(`distro_redhat',`
 		allow xdm_t self:process { execheap execmem };
-@@ -380,7 +468,7 @@
+@@ -380,7 +469,7 @@
 allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
 dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
 
@ -22123,7 +22133,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 # Label pid and temporary files with derived types.
 manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-@@ -392,6 +480,15 @@
+@@ -392,6 +481,15 @@
 can_exec(xdm_xserver_t, xkb_var_lib_t)
 files_search_var_lib(xdm_xserver_t)
 
@ -22139,7 +22149,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 # VNC v4 module in X server
 corenet_tcp_bind_vnc_port(xdm_xserver_t)
 
-@@ -404,6 +501,7 @@
+@@ -404,6 +502,7 @@
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
 userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
@ -22147,7 +22157,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 xserver_use_all_users_fonts(xdm_xserver_t)
 
-@@ -420,6 +518,14 @@
+@@ -420,6 +519,14 @@
 ')
 
 optional_policy(`
@ -22162,7 +22172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	resmgr_stream_connect(xdm_t)
 ')
 
-@@ -429,47 +535,103 @@
+@@ -429,47 +536,103 @@
 ')
 
 optional_policy(`
@ -24144,7 +24154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
 ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.2.7/policy/modules/system/modutils.te
 --- nsaserefpolicy/policy/modules/system/modutils.te	2008-02-06 10:33:22.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/system/modutils.te	2008-02-06 11:08:30.000000000 -0500
+++ serefpolicy-3.2.7/policy/modules/system/modutils.te	2008-02-12 13:01:36.000000000 -0500
@@ -42,7 +42,7 @@
 # insmod local policy
 #
@ -24181,13 +24191,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
 
 libs_use_ld_so(insmod_t)
 libs_use_shared_libs(insmod_t)
-@@ -118,11 +118,27 @@
+@@ -118,11 +118,28 @@
 	')
 ')
 
 +term_dontaudit_use_unallocated_ttys(insmod_t)
 +userdom_dontaudit_search_users_home_dirs(insmod_t)
 +userdom_dontaudit_search_sysadm_home_dirs(insmod_t)
+fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
 +
 if( ! secure_mode_insmod ) {
 	kernel_domtrans_to(insmod_t,insmod_exec_t)
@ -24209,7 +24220,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
 	hotplug_search_config(insmod_t)
 ')
 
-@@ -155,10 +171,12 @@
+@@ -155,10 +172,12 @@
 
 optional_policy(`
 	rpm_rw_pipes(insmod_t)
@ -24222,7 +24233,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
 ')
 
 optional_policy(`
-@@ -185,6 +203,7 @@
+@@ -185,6 +204,7 @@
 
 files_read_kernel_symbol_table(depmod_t)
 files_read_kernel_modules(depmod_t)
@ -24230,7 +24241,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
 
 fs_getattr_xattr_fs(depmod_t)
 
-@@ -208,9 +227,11 @@
+@@ -208,9 +228,11 @@
 
 # Read System.map from home directories.
 files_list_home(depmod_t)
@ -24243,7 +24254,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
 ifdef(`distro_ubuntu',`
 	optional_policy(`
 		unconfined_domain(depmod_t)
-@@ -219,11 +240,12 @@
+@@ -219,11 +241,12 @@
 
 optional_policy(`
 	# Read System.map from home directories.