- Make sure unconfined_java_t and unconfined_mono_t create user_tmpfs_t.

2009-04-08 13:18:20 +00:00 · 2009-04-08 13:18:20 +00:00 · 90e4193775
commit 90e4193775
parent 2e917624ad
2 changed files with 12 additions and 7 deletions
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@ -1980,7 +1980,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/lib/opera(/.*)?/opera	--	gen_context(system_u:object_r:java_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.12/policy/modules/apps/java.if
 --- nsaserefpolicy/policy/modules/apps/java.if	2008-11-11 16:13:42.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/apps/java.if	2009-04-07 16:01:44.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/apps/java.if	2009-04-08 08:35:54.000000000 -0400
@@ -30,6 +30,7 @@
 	allow java_t $2:unix_stream_socket connectto;
@ -1989,7 +1989,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -68,3 +69,128 @@
+@@ -68,3 +69,129 @@
 	domtrans_pattern($1, java_exec_t, unconfined_java_t)
 	corecmd_search_bin($1)
 ')
@ -2104,6 +2104,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	domain_interactive_fd($1_java_t)
 +
 +	userdom_unpriv_usertype($1, $1_java_t)
 +	userdom_manage_tmpfs_role($2, $1_java_t)
 +
 +	allow $1_java_t self:process { ptrace signal getsched execmem execstack };
 +	allow $3 $1_java_t:process { getattr ptrace noatsecure signal_perms };
@ -2266,8 +2267,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +seutil_domtrans_setfiles_mac(livecd_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.6.12/policy/modules/apps/mono.if
 --- nsaserefpolicy/policy/modules/apps/mono.if	2008-08-07 11:15:02.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/apps/mono.if	2009-04-07 16:01:44.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/apps/mono.if	2009-04-08 08:35:44.000000000 -0400
-@@ -21,6 +21,103 @@
+@@ -21,6 +21,104 @@
 ########################################
 ## <summary>
@ -2352,6 +2353,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	domain_interactive_fd($1_mono_t)
 +
 +	userdom_unpriv_usertype($1, $1_mono_t)
 +	userdom_manage_tmpfs_role($2, $1_mono_t)
 +
 +	allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack };
 +	allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms };
@ -2371,7 +2373,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Execute the mono program in the caller domain.
 ## </summary>
 ## <param name="domain">
-@@ -31,7 +128,7 @@
+@@ -31,7 +129,7 @@
 #
 interface(`mono_exec',`
 	gen_require(`
@ -22399,7 +22401,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.12/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/xserver.te	2009-04-07 16:01:44.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/xserver.te	2009-04-08 08:34:37.000000000 -0400
@@ -34,6 +34,13 @@
 ## <desc>
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.12
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -444,6 +444,9 @@ exit 0
 %endif
 %changelog
 * Wed Apr 7 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-2
 - Make sure unconfined_java_t and unconfined_mono_t create user_tmpfs_t.
 * Tue Apr 7 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-1
 - Upgrade to latest upstream
 - Allow devicekit_disk sys_rawio