- Update to upstream

2010-01-09 14:08:52 +00:00 · 2010-01-09 14:08:52 +00:00 · 7723ea3a29
commit 7723ea3a29
parent 468fe0b647
2 changed files with 245 additions and 9 deletions
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@ -60,6 +60,13 @@ awstats = module
 # 
 abrt = module

+# Layer: services
+# Module: aiccu
+#
+# SixXS Automatic IPv6 Connectivity Client Utility
+# 
+aiccu = module
+
 # Layer: admin
 # Module: amanda
 #
--- a/policy-F13.patch
+++ b/policy-F13.patch
@ -10269,6 +10269,183 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.
 allow afs_t self:process setsched;
 allow afs_t self:udp_socket create_socket_perms;
 allow afs_t self:fifo_file rw_file_perms;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.fc serefpolicy-3.7.6/policy/modules/services/aiccu.fc
+--- nsaserefpolicy/policy/modules/services/aiccu.fc	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.6/policy/modules/services/aiccu.fc	2010-01-09 09:03:46.000000000 -0500
+@@ -0,0 +1,5 @@
+
+/usr/sbin/aiccu	--	gen_context(system_u:object_r:aiccu_exec_t,s0)
+
+/etc/rc\.d/init\.d/aiccu	--	gen_context(system_u:object_r:aiccu_initrc_exec_t,s0)
+/var/run/aiccu.pid		--	gen_context(system_u:object_r:aiccu_var_run_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.if serefpolicy-3.7.6/policy/modules/services/aiccu.if
+--- nsaserefpolicy/policy/modules/services/aiccu.if	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.6/policy/modules/services/aiccu.if	2010-01-09 09:03:46.000000000 -0500
+@@ -0,0 +1,119 @@
+
+## <summary>policy for aiccu</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run aiccu.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`aiccu_domtrans',`
+	gen_require(`
+		type aiccu_t, aiccu_exec_t;
+	')
+
+	domtrans_pattern($1, aiccu_exec_t, aiccu_t)
+')
+
+
+########################################
+## <summary>
+##	Execute aiccu server in the aiccu domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`aiccu_initrc_domtrans',`
+	gen_require(`
+		type aiccu_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, aiccu_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Read aiccu PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`aiccu_read_pid_files',`
+	gen_require(`
+		type aiccu_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 aiccu_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Manage aiccu var_run files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`aiccu_manage_var_run',`
+	gen_require(`
+		type aiccu_var_run_t;
+	')
+
+         manage_dirs_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
+         manage_files_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
+         manage_lnk_files_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an aiccu environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`aiccu_admin',`
+	gen_require(`
+		type aiccu_t;
+	')
+
+	allow $1 aiccu_t:process { ptrace signal_perms getattr };
+	read_files_pattern($1, aiccu_t, aiccu_t)
+	        
+
+	gen_require(`
+		type aiccu_initrc_exec_t;
+	')
+
+	# Allow aiccu_t to restart the apache service
+	aiccu_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 aiccu_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	aiccu_manage_var_run($1)
+
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.te serefpolicy-3.7.6/policy/modules/services/aiccu.te
+--- nsaserefpolicy/policy/modules/services/aiccu.te	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.6/policy/modules/services/aiccu.te	2010-01-09 09:03:46.000000000 -0500
+@@ -0,0 +1,41 @@
+policy_module(aiccu,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type aiccu_t;
+type aiccu_exec_t;
+init_daemon_domain(aiccu_t, aiccu_exec_t)
+
+permissive aiccu_t;
+
+type aiccu_initrc_exec_t;
+init_script_file(aiccu_initrc_exec_t)
+
+type aiccu_var_run_t;
+files_pid_file(aiccu_var_run_t)
+
+########################################
+#
+# aiccu local policy
+#
+
+allow aiccu_t self:capability { kill };
+allow aiccu_t self:process { fork signal };
+
+# Init script handling
+domain_use_interactive_fds(aiccu_t)
+
+# internal communication is often done using fifo and unix sockets.
+allow aiccu_t self:fifo_file rw_file_perms;
+allow aiccu_t self:unix_stream_socket create_stream_socket_perms;
+
+files_read_etc_files(aiccu_t)
+
+miscfiles_read_localization(aiccu_t)
+
+manage_dirs_pattern(aiccu_t, aiccu_var_run_t,  aiccu_var_run_t)
+manage_files_pattern(aiccu_t, aiccu_var_run_t,  aiccu_var_run_t)
+files_pid_filetrans(aiccu_t, aiccu_var_run_t, { file dir })
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.fc serefpolicy-3.7.6/policy/modules/services/aisexec.fc
 --- nsaserefpolicy/policy/modules/services/aisexec.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.7.6/policy/modules/services/aisexec.fc	2010-01-07 15:28:30.000000000 -0500
@ -25343,6 +25520,61 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
 +    fs_manage_cifs_dirs(sftpd_t)
 +    fs_manage_cifs_files(sftpd_t)
 +')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.7.6/policy/modules/services/sssd.if
+--- nsaserefpolicy/policy/modules/services/sssd.if	2010-01-07 14:53:53.000000000 -0500
+++ serefpolicy-3.7.6/policy/modules/services/sssd.if	2010-01-09 08:10:39.000000000 -0500
+@@ -57,6 +57,25 @@
+ 
+ ########################################
+ ## <summary>
+##	Read sssd config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sssd_read_config_files',`
+	gen_require(`
+		type sssd_config_t;
+	')
+
+	sssd_search_lib($1)
+	read_files_pattern($1, sssd_config_t, sssd_config_t)
+')
+
+########################################
+## <summary>
+ ##	Manage sssd var_run files.
+ ## </summary>
+ ## <param name="domain">
+@@ -95,6 +114,25 @@
+ 
+ ########################################
+ ## <summary>
+##	dontaudit search sssd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sssd_dontaudit_search_lib',`
+	gen_require(`
+		type sssd_var_lib_t;
+	')
+
+	dontaudit $1 sssd_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+ ##	Read sssd lib files.
+ ## </summary>
+ ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.7.6/policy/modules/services/sssd.te
 --- nsaserefpolicy/policy/modules/services/sssd.te	2010-01-07 14:53:53.000000000 -0500
 +++ serefpolicy-3.7.6/policy/modules/services/sssd.te	2010-01-07 15:29:03.000000000 -0500
@ -29721,7 +29953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.6/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.6/policy/modules/system/libraries.fc	2010-01-08 09:16:04.000000000 -0500
+++ serefpolicy-3.7.6/policy/modules/system/libraries.fc	2010-01-09 08:58:18.000000000 -0500
@@ -60,12 +60,15 @@
 #
 # /opt
@ -29938,7 +30170,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
 ') dnl end distro_redhat
 
 #
-@@ -307,10 +317,132 @@
+@@ -307,10 +317,134 @@
 
 /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? --	gen_context(system_u:object_r:lib_t,s0)
 
@ -30071,6 +30303,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
 +/usr/lib(64)?/libGLcore\.so.*	     --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +
 +/usr/lib(64)?/libkmplayercommon\.so.*	     --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/opt/Unify/SQLBase/libgptsblmsui11\.so.*	     --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.7.6/policy/modules/system/libraries.if
 --- nsaserefpolicy/policy/modules/system/libraries.if	2009-07-14 14:19:57.000000000 -0400
 +++ serefpolicy-3.7.6/policy/modules/system/libraries.if	2010-01-07 15:28:30.000000000 -0500
@ -35586,7 +35820,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if
 ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.7.6/policy/modules/system/xen.te
 --- nsaserefpolicy/policy/modules/system/xen.te	2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.6/policy/modules/system/xen.te	2010-01-07 15:28:30.000000000 -0500
+++ serefpolicy-3.7.6/policy/modules/system/xen.te	2010-01-09 08:22:11.000000000 -0500
@@ -85,6 +85,7 @@
 type xenconsoled_t;
 type xenconsoled_exec_t;
@ -35603,7 +35837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
 
 storage_raw_read_fixed_disk(xend_t)
 storage_raw_write_fixed_disk(xend_t)
-@@ -259,10 +261,11 @@
+@@ -259,6 +261,7 @@
 #
 
 allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
@ -35611,11 +35845,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
 allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
 allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
 
-allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
-+allow xenconsoled_t xen_devpts_t:chr_file manage_term_perms;
- 
- # pid file
- manage_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t)
@@ -279,6 +282,7 @@
 
 domain_dontaudit_ptrace_all_domains(xenconsoled_t)