- Fixes for xguest
This commit is contained in:
parent
819f419b33
commit
a88b486824
187
policy-F12.patch
187
policy-F12.patch
@ -2833,8 +2833,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
|
+/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.21/policy/modules/apps/mozilla.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.21/policy/modules/apps/mozilla.if
|
||||||
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2008-11-11 16:13:41.000000000 -0500
|
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2008-11-11 16:13:41.000000000 -0500
|
||||||
+++ serefpolicy-3.6.21/policy/modules/apps/mozilla.if 2009-07-01 10:43:35.000000000 -0400
|
+++ serefpolicy-3.6.21/policy/modules/apps/mozilla.if 2009-07-08 11:19:59.000000000 -0400
|
||||||
@@ -64,6 +64,7 @@
|
@@ -45,6 +45,18 @@
|
||||||
|
relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
|
||||||
|
relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
|
||||||
|
relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
|
||||||
|
+
|
||||||
|
+ mozilla_dbus_chat($2)
|
||||||
|
+
|
||||||
|
+ userdom_manage_tmp_role($1, mozilla_t)
|
||||||
|
+
|
||||||
|
+ optional_policy(`
|
||||||
|
+ nsplugin_role($1, mozilla_t)
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ optional_policy(`
|
||||||
|
+ pulseaudio_role($1, mozilla_t)
|
||||||
|
+ ')
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
@@ -64,6 +76,7 @@
|
||||||
|
|
||||||
allow $1 mozilla_home_t:dir list_dir_perms;
|
allow $1 mozilla_home_t:dir list_dir_perms;
|
||||||
allow $1 mozilla_home_t:file read_file_perms;
|
allow $1 mozilla_home_t:file read_file_perms;
|
||||||
@ -2842,7 +2861,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
userdom_search_user_home_dirs($1)
|
userdom_search_user_home_dirs($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -83,7 +84,7 @@
|
@@ -83,7 +96,7 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 mozilla_home_t:dir list_dir_perms;
|
allow $1 mozilla_home_t:dir list_dir_perms;
|
||||||
@ -2853,8 +2872,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.21/policy/modules/apps/mozilla.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.21/policy/modules/apps/mozilla.te
|
||||||
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-01-19 11:03:28.000000000 -0500
|
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-01-19 11:03:28.000000000 -0500
|
||||||
+++ serefpolicy-3.6.21/policy/modules/apps/mozilla.te 2009-07-01 10:43:35.000000000 -0400
|
+++ serefpolicy-3.6.21/policy/modules/apps/mozilla.te 2009-07-08 11:32:50.000000000 -0400
|
||||||
@@ -105,6 +105,7 @@
|
@@ -59,6 +59,7 @@
|
||||||
|
manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
|
||||||
|
manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
|
||||||
|
userdom_search_user_home_dirs(mozilla_t)
|
||||||
|
+userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir)
|
||||||
|
|
||||||
|
# Mozpluggerrc
|
||||||
|
allow mozilla_t mozilla_conf_t:file read_file_perms;
|
||||||
|
@@ -97,6 +98,7 @@
|
||||||
|
corenet_tcp_connect_ftp_port(mozilla_t)
|
||||||
|
corenet_tcp_connect_ipp_port(mozilla_t)
|
||||||
|
corenet_tcp_connect_generic_port(mozilla_t)
|
||||||
|
+corenet_tcp_connect_soundd_port(mozilla_t)
|
||||||
|
corenet_sendrecv_http_client_packets(mozilla_t)
|
||||||
|
corenet_sendrecv_http_cache_client_packets(mozilla_t)
|
||||||
|
corenet_sendrecv_ftp_client_packets(mozilla_t)
|
||||||
|
@@ -105,6 +107,7 @@
|
||||||
# Should not need other ports
|
# Should not need other ports
|
||||||
corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t)
|
corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t)
|
||||||
corenet_dontaudit_tcp_bind_generic_port(mozilla_t)
|
corenet_dontaudit_tcp_bind_generic_port(mozilla_t)
|
||||||
@ -2862,7 +2897,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
dev_read_urand(mozilla_t)
|
dev_read_urand(mozilla_t)
|
||||||
dev_read_rand(mozilla_t)
|
dev_read_rand(mozilla_t)
|
||||||
@@ -128,6 +129,7 @@
|
@@ -113,6 +116,8 @@
|
||||||
|
dev_dontaudit_rw_dri(mozilla_t)
|
||||||
|
dev_getattr_sysfs_dirs(mozilla_t)
|
||||||
|
|
||||||
|
+domain_dontaudit_read_all_domains_state(mozilla_t)
|
||||||
|
+
|
||||||
|
files_read_etc_runtime_files(mozilla_t)
|
||||||
|
files_read_usr_files(mozilla_t)
|
||||||
|
files_read_etc_files(mozilla_t)
|
||||||
|
@@ -128,6 +133,7 @@
|
||||||
fs_rw_tmpfs_files(mozilla_t)
|
fs_rw_tmpfs_files(mozilla_t)
|
||||||
|
|
||||||
term_dontaudit_getattr_pty_dirs(mozilla_t)
|
term_dontaudit_getattr_pty_dirs(mozilla_t)
|
||||||
@ -2870,15 +2914,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
logging_send_syslog_msg(mozilla_t)
|
logging_send_syslog_msg(mozilla_t)
|
||||||
|
|
||||||
@@ -143,6 +145,7 @@
|
@@ -137,12 +143,7 @@
|
||||||
userdom_manage_user_tmp_dirs(mozilla_t)
|
# Browse the web, connect to printer
|
||||||
userdom_manage_user_tmp_files(mozilla_t)
|
sysnet_dns_name_resolve(mozilla_t)
|
||||||
userdom_manage_user_tmp_sockets(mozilla_t)
|
|
||||||
|
-userdom_manage_user_home_content_dirs(mozilla_t)
|
||||||
|
-userdom_manage_user_home_content_files(mozilla_t)
|
||||||
|
-userdom_manage_user_home_content_symlinks(mozilla_t)
|
||||||
|
-userdom_manage_user_tmp_dirs(mozilla_t)
|
||||||
|
-userdom_manage_user_tmp_files(mozilla_t)
|
||||||
|
-userdom_manage_user_tmp_sockets(mozilla_t)
|
||||||
+userdom_use_user_ptys(mozilla_t)
|
+userdom_use_user_ptys(mozilla_t)
|
||||||
|
|
||||||
xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
|
xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
|
||||||
xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
|
xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
|
||||||
@@ -243,6 +246,8 @@
|
@@ -239,10 +240,15 @@
|
||||||
|
optional_policy(`
|
||||||
|
dbus_system_bus_client(mozilla_t)
|
||||||
|
dbus_session_bus_client(mozilla_t)
|
||||||
|
+ optional_policy(`
|
||||||
|
+ networkmanager_dbus_chat(mozilla_t)
|
||||||
|
+ ')
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
gnome_stream_connect_gconf(mozilla_t)
|
gnome_stream_connect_gconf(mozilla_t)
|
||||||
@ -2887,7 +2944,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -263,5 +268,10 @@
|
@@ -263,5 +269,10 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -2916,7 +2973,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
|
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.21/policy/modules/apps/nsplugin.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.21/policy/modules/apps/nsplugin.if
|
||||||
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.6.21/policy/modules/apps/nsplugin.if 2009-07-06 15:10:59.000000000 -0400
|
+++ serefpolicy-3.6.21/policy/modules/apps/nsplugin.if 2009-07-08 10:43:18.000000000 -0400
|
||||||
@@ -0,0 +1,313 @@
|
@@ -0,0 +1,313 @@
|
||||||
+
|
+
|
||||||
+## <summary>policy for nsplugin</summary>
|
+## <summary>policy for nsplugin</summary>
|
||||||
@ -3784,7 +3841,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
|
+/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.6.21/policy/modules/apps/pulseaudio.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.6.21/policy/modules/apps/pulseaudio.if
|
||||||
--- nsaserefpolicy/policy/modules/apps/pulseaudio.if 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/apps/pulseaudio.if 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.6.21/policy/modules/apps/pulseaudio.if 2009-07-01 10:43:35.000000000 -0400
|
+++ serefpolicy-3.6.21/policy/modules/apps/pulseaudio.if 2009-07-08 10:50:31.000000000 -0400
|
||||||
@@ -0,0 +1,148 @@
|
@@ -0,0 +1,148 @@
|
||||||
+
|
+
|
||||||
+## <summary>policy for pulseaudio</summary>
|
+## <summary>policy for pulseaudio</summary>
|
||||||
@ -8612,8 +8669,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
userdom_manage_user_home_content_files(webadm_t)
|
userdom_manage_user_home_content_files(webadm_t)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.21/policy/modules/roles/xguest.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.21/policy/modules/roles/xguest.te
|
||||||
--- nsaserefpolicy/policy/modules/roles/xguest.te 2009-04-06 12:42:08.000000000 -0400
|
--- nsaserefpolicy/policy/modules/roles/xguest.te 2009-04-06 12:42:08.000000000 -0400
|
||||||
+++ serefpolicy-3.6.21/policy/modules/roles/xguest.te 2009-07-01 10:43:35.000000000 -0400
|
+++ serefpolicy-3.6.21/policy/modules/roles/xguest.te 2009-07-08 11:32:12.000000000 -0400
|
||||||
@@ -67,7 +67,11 @@
|
@@ -36,11 +36,17 @@
|
||||||
|
# Local policy
|
||||||
|
#
|
||||||
|
|
||||||
|
+# Dontaudit fusermount
|
||||||
|
+dontaudit xguest_t self:capability sys_admin;
|
||||||
|
+
|
||||||
|
# Allow mounting of file systems
|
||||||
|
optional_policy(`
|
||||||
|
tunable_policy(`xguest_mount_media',`
|
||||||
|
kernel_read_fs_sysctls(xguest_t)
|
||||||
|
|
||||||
|
+ # allow fusermount
|
||||||
|
+ allow xguest_t self:capability sys_admin;
|
||||||
|
+
|
||||||
|
files_dontaudit_getattr_boot_dirs(xguest_t)
|
||||||
|
files_search_mnt(xguest_t)
|
||||||
|
|
||||||
|
@@ -67,7 +73,11 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -8626,7 +8701,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -75,9 +79,13 @@
|
@@ -75,9 +85,13 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -10209,15 +10284,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.6.21/policy/modules/services/apm.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.6.21/policy/modules/services/apm.te
|
||||||
--- nsaserefpolicy/policy/modules/services/apm.te 2009-06-26 13:59:19.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/apm.te 2009-06-26 13:59:19.000000000 -0400
|
||||||
+++ serefpolicy-3.6.21/policy/modules/services/apm.te 2009-07-01 10:43:35.000000000 -0400
|
+++ serefpolicy-3.6.21/policy/modules/services/apm.te 2009-07-08 10:40:06.000000000 -0400
|
||||||
@@ -39,6 +39,7 @@
|
@@ -60,7 +60,7 @@
|
||||||
#
|
# mknod: controlling an orderly resume of PCMCIA requires creating device
|
||||||
|
# nodes 254,{0,1,2} for some reason.
|
||||||
allow apm_t self:capability { dac_override sys_admin };
|
allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
|
||||||
+dontaudit apm_t self:capability sys_ptrace;
|
-dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_tty_config };
|
||||||
|
+dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
|
||||||
kernel_read_system_state(apm_t)
|
allow apmd_t self:process { signal_perms getsession };
|
||||||
|
allow apmd_t self:fifo_file rw_fifo_file_perms;
|
||||||
|
allow apmd_t self:unix_dgram_socket create_socket_perms;
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.6.21/policy/modules/services/automount.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.6.21/policy/modules/services/automount.if
|
||||||
--- nsaserefpolicy/policy/modules/services/automount.if 2008-10-14 11:58:09.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/automount.if 2008-10-14 11:58:09.000000000 -0400
|
||||||
+++ serefpolicy-3.6.21/policy/modules/services/automount.if 2009-07-01 10:43:35.000000000 -0400
|
+++ serefpolicy-3.6.21/policy/modules/services/automount.if 2009-07-01 10:43:35.000000000 -0400
|
||||||
@ -17486,7 +17562,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.21/policy/modules/services/postgresql.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.21/policy/modules/services/postgresql.te
|
||||||
--- nsaserefpolicy/policy/modules/services/postgresql.te 2009-06-26 13:59:19.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/postgresql.te 2009-06-26 13:59:19.000000000 -0400
|
||||||
+++ serefpolicy-3.6.21/policy/modules/services/postgresql.te 2009-07-01 10:43:36.000000000 -0400
|
+++ serefpolicy-3.6.21/policy/modules/services/postgresql.te 2009-07-07 16:27:00.000000000 -0400
|
||||||
@@ -32,6 +32,9 @@
|
@@ -32,6 +32,9 @@
|
||||||
type postgresql_etc_t;
|
type postgresql_etc_t;
|
||||||
files_config_file(postgresql_etc_t)
|
files_config_file(postgresql_etc_t)
|
||||||
@ -17517,6 +17593,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
corenet_sendrecv_postgresql_server_packets(postgresql_t)
|
corenet_sendrecv_postgresql_server_packets(postgresql_t)
|
||||||
corenet_sendrecv_auth_client_packets(postgresql_t)
|
corenet_sendrecv_auth_client_packets(postgresql_t)
|
||||||
|
|
||||||
|
@@ -247,6 +253,7 @@
|
||||||
|
init_read_utmp(postgresql_t)
|
||||||
|
|
||||||
|
logging_send_syslog_msg(postgresql_t)
|
||||||
|
+logging_send_audit_msgs(postgresql_t)
|
||||||
|
|
||||||
|
miscfiles_read_localization(postgresql_t)
|
||||||
|
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.6.21/policy/modules/services/ppp.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.6.21/policy/modules/services/ppp.fc
|
||||||
--- nsaserefpolicy/policy/modules/services/ppp.fc 2008-09-11 11:28:34.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/ppp.fc 2008-09-11 11:28:34.000000000 -0400
|
||||||
+++ serefpolicy-3.6.21/policy/modules/services/ppp.fc 2009-07-01 10:43:36.000000000 -0400
|
+++ serefpolicy-3.6.21/policy/modules/services/ppp.fc 2009-07-01 10:43:36.000000000 -0400
|
||||||
@ -19565,7 +19649,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.21/policy/modules/services/sendmail.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.21/policy/modules/services/sendmail.te
|
||||||
--- nsaserefpolicy/policy/modules/services/sendmail.te 2009-01-19 11:06:49.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/sendmail.te 2009-01-19 11:06:49.000000000 -0500
|
||||||
+++ serefpolicy-3.6.21/policy/modules/services/sendmail.te 2009-07-01 10:43:36.000000000 -0400
|
+++ serefpolicy-3.6.21/policy/modules/services/sendmail.te 2009-07-07 17:16:43.000000000 -0400
|
||||||
@@ -20,13 +20,17 @@
|
@@ -20,13 +20,17 @@
|
||||||
mta_mailserver_delivery(sendmail_t)
|
mta_mailserver_delivery(sendmail_t)
|
||||||
mta_mailserver_sender(sendmail_t)
|
mta_mailserver_sender(sendmail_t)
|
||||||
@ -19732,7 +19816,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ mta_etc_filetrans_aliases(unconfined_sendmail_t)
|
+ mta_etc_filetrans_aliases(unconfined_sendmail_t)
|
||||||
+ unconfined_domain(unconfined_sendmail_t)
|
+ unconfined_domain_noaudit(unconfined_sendmail_t)
|
||||||
+')
|
+')
|
||||||
|
|
||||||
-dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
|
-dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
|
||||||
@ -22746,7 +22830,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.21/policy/modules/services/xserver.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.21/policy/modules/services/xserver.te
|
||||||
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-06-26 13:59:19.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-06-26 13:59:19.000000000 -0400
|
||||||
+++ serefpolicy-3.6.21/policy/modules/services/xserver.te 2009-07-07 15:47:58.000000000 -0400
|
+++ serefpolicy-3.6.21/policy/modules/services/xserver.te 2009-07-08 10:50:38.000000000 -0400
|
||||||
@@ -34,6 +34,13 @@
|
@@ -34,6 +34,13 @@
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
@ -23173,7 +23257,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
hostname_exec(xdm_t)
|
hostname_exec(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -542,6 +650,28 @@
|
@@ -542,6 +650,29 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -23185,6 +23269,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ pulseaudio_exec(xdm_t)
|
+ pulseaudio_exec(xdm_t)
|
||||||
|
+ pulseaudio_dbus_chat(xdm_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+# On crash gdm execs gdb to dump stack
|
+# On crash gdm execs gdb to dump stack
|
||||||
@ -23202,7 +23287,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
seutil_sigchld_newrole(xdm_t)
|
seutil_sigchld_newrole(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -550,8 +680,9 @@
|
@@ -550,8 +681,9 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -23214,7 +23299,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
ifndef(`distro_redhat',`
|
ifndef(`distro_redhat',`
|
||||||
allow xdm_t self:process { execheap execmem };
|
allow xdm_t self:process { execheap execmem };
|
||||||
@@ -560,7 +691,6 @@
|
@@ -560,7 +692,6 @@
|
||||||
ifdef(`distro_rhel4',`
|
ifdef(`distro_rhel4',`
|
||||||
allow xdm_t self:process { execheap execmem };
|
allow xdm_t self:process { execheap execmem };
|
||||||
')
|
')
|
||||||
@ -23222,7 +23307,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
userhelper_dontaudit_search_config(xdm_t)
|
userhelper_dontaudit_search_config(xdm_t)
|
||||||
@@ -571,6 +701,10 @@
|
@@ -571,6 +702,10 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -23233,7 +23318,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
xfs_stream_connect(xdm_t)
|
xfs_stream_connect(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -587,7 +721,7 @@
|
@@ -587,7 +722,7 @@
|
||||||
# execheap needed until the X module loader is fixed.
|
# execheap needed until the X module loader is fixed.
|
||||||
# NVIDIA Needs execstack
|
# NVIDIA Needs execstack
|
||||||
|
|
||||||
@ -23242,7 +23327,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
dontaudit xserver_t self:capability chown;
|
dontaudit xserver_t self:capability chown;
|
||||||
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||||
allow xserver_t self:memprotect mmap_zero;
|
allow xserver_t self:memprotect mmap_zero;
|
||||||
@@ -602,9 +736,11 @@
|
@@ -602,9 +737,11 @@
|
||||||
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||||
allow xserver_t self:tcp_socket create_stream_socket_perms;
|
allow xserver_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow xserver_t self:udp_socket create_socket_perms;
|
allow xserver_t self:udp_socket create_socket_perms;
|
||||||
@ -23254,7 +23339,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
|
allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
|
||||||
|
|
||||||
@@ -616,13 +752,14 @@
|
@@ -616,13 +753,14 @@
|
||||||
type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t;
|
type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t;
|
||||||
|
|
||||||
allow xserver_t { rootwindow_t x_domain }:x_drawable send;
|
allow xserver_t { rootwindow_t x_domain }:x_drawable send;
|
||||||
@ -23270,7 +23355,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||||
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||||
@@ -635,9 +772,19 @@
|
@@ -635,9 +773,19 @@
|
||||||
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||||
files_search_var_lib(xserver_t)
|
files_search_var_lib(xserver_t)
|
||||||
|
|
||||||
@ -23290,7 +23375,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
kernel_read_system_state(xserver_t)
|
kernel_read_system_state(xserver_t)
|
||||||
kernel_read_device_sysctls(xserver_t)
|
kernel_read_device_sysctls(xserver_t)
|
||||||
@@ -680,9 +827,14 @@
|
@@ -680,9 +828,14 @@
|
||||||
dev_rw_xserver_misc(xserver_t)
|
dev_rw_xserver_misc(xserver_t)
|
||||||
# read events - the synaptics touchpad driver reads raw events
|
# read events - the synaptics touchpad driver reads raw events
|
||||||
dev_rw_input_dev(xserver_t)
|
dev_rw_input_dev(xserver_t)
|
||||||
@ -23305,7 +23390,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
files_read_etc_files(xserver_t)
|
files_read_etc_files(xserver_t)
|
||||||
files_read_etc_runtime_files(xserver_t)
|
files_read_etc_runtime_files(xserver_t)
|
||||||
@@ -697,8 +849,12 @@
|
@@ -697,8 +850,12 @@
|
||||||
fs_search_nfs(xserver_t)
|
fs_search_nfs(xserver_t)
|
||||||
fs_search_auto_mountpoints(xserver_t)
|
fs_search_auto_mountpoints(xserver_t)
|
||||||
fs_search_ramfs(xserver_t)
|
fs_search_ramfs(xserver_t)
|
||||||
@ -23318,7 +23403,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
selinux_validate_context(xserver_t)
|
selinux_validate_context(xserver_t)
|
||||||
selinux_compute_access_vector(xserver_t)
|
selinux_compute_access_vector(xserver_t)
|
||||||
@@ -720,6 +876,7 @@
|
@@ -720,6 +877,7 @@
|
||||||
|
|
||||||
miscfiles_read_localization(xserver_t)
|
miscfiles_read_localization(xserver_t)
|
||||||
miscfiles_read_fonts(xserver_t)
|
miscfiles_read_fonts(xserver_t)
|
||||||
@ -23326,7 +23411,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
modutils_domtrans_insmod(xserver_t)
|
modutils_domtrans_insmod(xserver_t)
|
||||||
|
|
||||||
@@ -742,7 +899,7 @@
|
@@ -742,7 +900,7 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`enable_mls',`
|
ifdef(`enable_mls',`
|
||||||
@ -23335,7 +23420,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
|
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -774,12 +931,20 @@
|
@@ -774,12 +932,20 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -23357,7 +23442,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
unconfined_domtrans(xserver_t)
|
unconfined_domtrans(xserver_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -806,7 +971,7 @@
|
@@ -806,7 +972,7 @@
|
||||||
allow xserver_t xdm_var_lib_t:file { getattr read };
|
allow xserver_t xdm_var_lib_t:file { getattr read };
|
||||||
dontaudit xserver_t xdm_var_lib_t:dir search;
|
dontaudit xserver_t xdm_var_lib_t:dir search;
|
||||||
|
|
||||||
@ -23366,7 +23451,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
# Label pid and temporary files with derived types.
|
# Label pid and temporary files with derived types.
|
||||||
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||||
@@ -827,9 +992,14 @@
|
@@ -827,9 +993,14 @@
|
||||||
# to read ROLE_home_t - examine this in more detail
|
# to read ROLE_home_t - examine this in more detail
|
||||||
# (xauth?)
|
# (xauth?)
|
||||||
userdom_read_user_home_content_files(xserver_t)
|
userdom_read_user_home_content_files(xserver_t)
|
||||||
@ -23381,7 +23466,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
tunable_policy(`use_nfs_home_dirs',`
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
fs_manage_nfs_dirs(xserver_t)
|
fs_manage_nfs_dirs(xserver_t)
|
||||||
fs_manage_nfs_files(xserver_t)
|
fs_manage_nfs_files(xserver_t)
|
||||||
@@ -844,11 +1014,14 @@
|
@@ -844,11 +1015,14 @@
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
dbus_system_bus_client(xserver_t)
|
dbus_system_bus_client(xserver_t)
|
||||||
@ -23397,7 +23482,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -856,6 +1029,11 @@
|
@@ -856,6 +1030,11 @@
|
||||||
rhgb_rw_tmpfs_files(xserver_t)
|
rhgb_rw_tmpfs_files(xserver_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -23409,7 +23494,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Rules common to all X window domains
|
# Rules common to all X window domains
|
||||||
@@ -881,6 +1059,8 @@
|
@@ -881,6 +1060,8 @@
|
||||||
# X Server
|
# X Server
|
||||||
# can read server-owned resources
|
# can read server-owned resources
|
||||||
allow x_domain xserver_t:x_resource read;
|
allow x_domain xserver_t:x_resource read;
|
||||||
@ -23418,7 +23503,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
# can mess with own clients
|
# can mess with own clients
|
||||||
allow x_domain self:x_client { manage destroy };
|
allow x_domain self:x_client { manage destroy };
|
||||||
|
|
||||||
@@ -905,6 +1085,8 @@
|
@@ -905,6 +1086,8 @@
|
||||||
# operations allowed on my windows
|
# operations allowed on my windows
|
||||||
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
|
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
|
||||||
|
|
||||||
@ -23427,7 +23512,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
# X Colormaps
|
# X Colormaps
|
||||||
# can use the default colormap
|
# can use the default colormap
|
||||||
allow x_domain rootwindow_t:x_colormap { read use add_color };
|
allow x_domain rootwindow_t:x_colormap { read use add_color };
|
||||||
@@ -972,17 +1154,49 @@
|
@@ -972,17 +1155,49 @@
|
||||||
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
|
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
|
||||||
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
|
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
|
||||||
|
|
||||||
@ -27864,7 +27949,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
|
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.21/policy/modules/system/userdomain.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.21/policy/modules/system/userdomain.if
|
||||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-06-26 13:59:21.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-06-26 13:59:21.000000000 -0400
|
||||||
+++ serefpolicy-3.6.21/policy/modules/system/userdomain.if 2009-07-01 10:43:36.000000000 -0400
|
+++ serefpolicy-3.6.21/policy/modules/system/userdomain.if 2009-07-08 11:19:36.000000000 -0400
|
||||||
@@ -30,8 +30,9 @@
|
@@ -30,8 +30,9 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -20,7 +20,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.6.21
|
Version: 3.6.21
|
||||||
Release: 2%{?dist}
|
Release: 3%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -475,6 +475,9 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Jul 8 2009 Dan Walsh <dwalsh@redhat.com> 3.6.21-3
|
||||||
|
- Fixes for xguest
|
||||||
|
|
||||||
* Tue Jul 7 2009 Tom "spot" Callaway <tcallawa@redhat.com> 3.6.21-2
|
* Tue Jul 7 2009 Tom "spot" Callaway <tcallawa@redhat.com> 3.6.21-2
|
||||||
- fix multiple directory ownership of mandirs
|
- fix multiple directory ownership of mandirs
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user