- Fix transition to nsplugin

2008-09-23 15:14:53 +00:00 · 2008-09-23 15:14:53 +00:00 · a80e7ac6a3
parent d86efe56b9
commit a80e7ac6a3
2 changed files with 83 additions and 28 deletions
--- a/policy-20080710.patch
+++ b/policy-20080710.patch
@ -564,7 +564,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 files_read_etc_files(kismet_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.5.8/policy/modules/admin/logrotate.te
 --- nsaserefpolicy/policy/modules/admin/logrotate.te	2008-09-03 10:17:00.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/admin/logrotate.te	2008-09-17 08:49:08.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/admin/logrotate.te	2008-09-23 08:33:35.000000000 -0400
@@ -97,6 +97,7 @@
 files_read_etc_files(logrotate_t)
 files_read_etc_runtime_files(logrotate_t)
@ -573,6 +573,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # Write to /var/spool/slrnpull - should be moved into its own type.
 files_manage_generic_spool(logrotate_t)
 files_manage_generic_spool_dirs(logrotate_t)
+@@ -167,7 +168,7 @@
+ ')
+ 
+ optional_policy(`
+-	mailman_exec(logrotate_t)
+	mailman_domtrans(logrotate_t)
+ 	mailman_search_data(logrotate_t)
+ 	mailman_manage_log(logrotate_t)
+ ')
@@ -189,6 +190,5 @@
 ')
 
@ -615,7 +624,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.5.8/policy/modules/admin/mrtg.te
 --- nsaserefpolicy/policy/modules/admin/mrtg.te	2008-08-07 11:15:13.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/admin/mrtg.te	2008-09-17 08:49:08.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/admin/mrtg.te	2008-09-23 10:04:14.000000000 -0400
@@ -78,6 +78,7 @@
 dev_read_urand(mrtg_t)
 
@ -624,7 +633,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 files_read_usr_files(mrtg_t)
 files_search_var(mrtg_t)
-@@ -101,6 +102,8 @@
+@@ -92,6 +93,7 @@
+ 
+ fs_search_auto_mountpoints(mrtg_t)
+ fs_getattr_xattr_fs(mrtg_t)
+fs_list_inotifyfs(mrtg_t)
+ 
+ term_dontaudit_use_console(mrtg_t)
+ 
+@@ -101,6 +103,8 @@
 init_read_utmp(mrtg_t)
 init_dontaudit_write_utmp(mrtg_t)
 
@ -633,7 +650,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 libs_read_lib_files(mrtg_t)
 libs_use_ld_so(mrtg_t)
 libs_use_shared_libs(mrtg_t)
-@@ -111,12 +114,10 @@
+@@ -111,12 +115,10 @@
 
 selinux_dontaudit_getattr_dir(mrtg_t)
 
@ -647,7 +664,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 ifdef(`enable_mls',`
 	corenet_udp_sendrecv_lo_if(mrtg_t)
-@@ -140,14 +141,6 @@
+@@ -140,14 +142,6 @@
 ')
 
 optional_policy(`
@ -662,7 +679,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	seutil_sigchld_newrole(mrtg_t)
 ')
 
-@@ -162,10 +155,3 @@
+@@ -162,10 +156,3 @@
 optional_policy(`
 	udev_read_db(mrtg_t)
 ')
@ -5119,7 +5136,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.5.8/policy/modules/apps/podsleuth.te
 --- nsaserefpolicy/policy/modules/apps/podsleuth.te	2008-08-07 11:15:03.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/apps/podsleuth.te	2008-09-17 08:49:08.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/apps/podsleuth.te	2008-09-22 16:03:15.000000000 -0400
@@ -11,24 +11,55 @@
 application_domain(podsleuth_t, podsleuth_exec_t)
 role system_r types podsleuth_t;
@ -5136,7 +5153,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 #
 -
 -allow podsleuth_t self:process { signal getsched execheap execmem };
-+allow podsleuth_t self:capability sys_admin;
+allow podsleuth_t self:capability { sys_admin sys_rawio };
 +allow podsleuth_t self:process { ptrace signal getsched execheap execmem };
 allow podsleuth_t self:fifo_file rw_file_perms;
 allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
@ -18214,7 +18231,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/lib/mailman/mail/mailman --	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.5.8/policy/modules/services/mailman.if
 --- nsaserefpolicy/policy/modules/services/mailman.if	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/mailman.if	2008-09-19 10:41:48.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/services/mailman.if	2008-09-23 08:33:22.000000000 -0400
@@ -31,6 +31,12 @@
 	allow mailman_$1_t self:tcp_socket create_stream_socket_perms;
 	allow mailman_$1_t self:udp_socket create_socket_perms;
@ -21197,7 +21214,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.5.8/policy/modules/services/postfix.te
 --- nsaserefpolicy/policy/modules/services/postfix.te	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/postfix.te	2008-09-17 08:49:08.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/services/postfix.te	2008-09-23 09:58:09.000000000 -0400
@@ -6,6 +6,14 @@
 # Declarations
 #
@ -21311,7 +21328,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 #	for postalias
 	mailman_manage_data_files(postfix_master_t)
 ')
-@@ -255,6 +275,10 @@
+@@ -196,6 +216,10 @@
+ ')
+ 
+ optional_policy(`
+	postgrey_search_spool(postfix_master_t)
+')
+
+optional_policy(`
+ 	sendmail_signal(postfix_master_t)
+ ')
+ 
+@@ -255,6 +279,10 @@
 
 corecmd_exec_bin(postfix_cleanup_t)
 
@ -21322,7 +21350,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # Postfix local local policy
-@@ -280,18 +304,25 @@
+@@ -280,18 +308,25 @@
 
 files_read_etc_files(postfix_local_t)
 
@ -21348,7 +21376,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -302,8 +333,7 @@
+@@ -302,8 +337,7 @@
 #
 # Postfix map local policy
 #
@ -21358,7 +21386,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
 allow postfix_map_t self:unix_dgram_socket create_socket_perms;
 allow postfix_map_t self:tcp_socket create_stream_socket_perms;
-@@ -353,8 +383,6 @@
+@@ -353,8 +387,6 @@
 
 miscfiles_read_localization(postfix_map_t)
 
@ -21367,7 +21395,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 tunable_policy(`read_default_t',`
 	files_list_default(postfix_map_t)
 	files_read_default_files(postfix_map_t)
-@@ -367,6 +395,11 @@
+@@ -367,6 +399,11 @@
 	locallogin_dontaudit_use_fds(postfix_map_t)
 ')
 
@ -21379,7 +21407,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # Postfix pickup local policy
-@@ -391,6 +424,7 @@
+@@ -391,6 +428,7 @@
 #
 
 allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
@ -21387,7 +21415,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
 
-@@ -398,6 +432,12 @@
+@@ -398,6 +436,12 @@
 
 rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
 
@ -21400,7 +21428,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 	procmail_domtrans(postfix_pipe_t)
 ')
-@@ -407,6 +447,14 @@
+@@ -407,6 +451,14 @@
 ')
 
 optional_policy(`
@ -21415,7 +21443,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	uucp_domtrans_uux(postfix_pipe_t)
 ')
 
-@@ -443,8 +491,11 @@
+@@ -443,8 +495,11 @@
 ')
 
 optional_policy(`
@ -21429,7 +21457,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 #######################################
-@@ -470,6 +521,15 @@
+@@ -470,6 +525,15 @@
 init_sigchld_script(postfix_postqueue_t)
 init_use_script_fds(postfix_postqueue_t)
 
@ -21445,7 +21473,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # Postfix qmgr local policy
-@@ -553,6 +613,10 @@
+@@ -553,6 +617,10 @@
 mta_read_aliases(postfix_smtpd_t)
 
 optional_policy(`
@ -21456,7 +21484,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	mailman_read_data_files(postfix_smtpd_t)
 ')
 
-@@ -579,7 +643,7 @@
+@@ -579,7 +647,7 @@
 files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir })
 
 # connect to master process
@ -21710,8 +21738,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/spool/postfix/postgrey(/.*)?	gen_context(system_u:object_r:postgrey_spool_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.if serefpolicy-3.5.8/policy/modules/services/postgrey.if
 --- nsaserefpolicy/policy/modules/services/postgrey.if	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/postgrey.if	2008-09-19 10:23:31.000000000 -0400
-@@ -12,10 +12,80 @@
+++ serefpolicy-3.5.8/policy/modules/services/postgrey.if	2008-09-23 09:13:18.000000000 -0400
+@@ -12,10 +12,98 @@
 #
 interface(`postgrey_stream_connect',`
         gen_require(`
@ -21728,6 +21756,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +########################################
 +## <summary>
+##      Search the spool directory
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access
+##      </summary>
+## </param>
+#
+interface(`postgrey_search_spool',`
+        gen_require(`
+                type postgrey_spool_t;
+        ')
+
+	allow $1 postgrey_spool_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
 +##	Execute postgrey server in the postgrey domain.
 +## </summary>
 +## <param name="domain">
@ -21796,7 +21842,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.te serefpolicy-3.5.8/policy/modules/services/postgrey.te
 --- nsaserefpolicy/policy/modules/services/postgrey.te	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/postgrey.te	2008-09-17 08:49:08.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/services/postgrey.te	2008-09-23 09:17:06.000000000 -0400
@@ -13,26 +13,38 @@
 type postgrey_etc_t;
 files_config_file(postgrey_etc_t)
@ -30951,7 +30997,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.5.8/policy/modules/system/logging.te
 --- nsaserefpolicy/policy/modules/system/logging.te	2008-09-03 10:17:00.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/system/logging.te	2008-09-17 08:49:09.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/system/logging.te	2008-09-23 08:51:04.000000000 -0400
@@ -72,6 +72,12 @@
 logging_log_file(var_log_t)
 files_mountpoint(var_log_t)
@ -30992,7 +31038,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # Needs to be able to run dispatcher.  see /etc/audit/auditd.conf
 # Probably want a transition, and a new auditd_helper app
 corecmd_exec_bin(auditd_t)
-@@ -241,6 +257,7 @@
+@@ -230,6 +246,8 @@
+ 
+ miscfiles_read_localization(audisp_t)
+ 
+sysnet_dns_name_resolve(audisp_t)
+
+ ########################################
+ #
+ # Audit remote logger local policy
+@@ -241,6 +259,7 @@
 corenet_all_recvfrom_netlabel(audisp_remote_t)
 corenet_tcp_sendrecv_all_if(audisp_remote_t)
 corenet_tcp_sendrecv_all_nodes(audisp_remote_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -130,6 +130,7 @@ echo -n > %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \
 %dir %{_sysconfdir}/selinux/%1/contexts/users \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/root \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/guest_u \
+%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u 

@ -317,7 +318,6 @@ exit 0

 %files targeted
 %config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u
-%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/xguest_u
 %fileList targeted
 %endif