- Fixes for xguest

This commit is contained in:
Daniel J Walsh 2009-07-08 15:37:57 +00:00
parent 819f419b33
commit a88b486824
2 changed files with 140 additions and 52 deletions

View File

@ -2833,8 +2833,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.21/policy/modules/apps/mozilla.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.21/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2008-11-11 16:13:41.000000000 -0500 --- nsaserefpolicy/policy/modules/apps/mozilla.if 2008-11-11 16:13:41.000000000 -0500
+++ serefpolicy-3.6.21/policy/modules/apps/mozilla.if 2009-07-01 10:43:35.000000000 -0400 +++ serefpolicy-3.6.21/policy/modules/apps/mozilla.if 2009-07-08 11:19:59.000000000 -0400
@@ -64,6 +64,7 @@ @@ -45,6 +45,18 @@
relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
+
+ mozilla_dbus_chat($2)
+
+ userdom_manage_tmp_role($1, mozilla_t)
+
+ optional_policy(`
+ nsplugin_role($1, mozilla_t)
+ ')
+
+ optional_policy(`
+ pulseaudio_role($1, mozilla_t)
+ ')
')
########################################
@@ -64,6 +76,7 @@
allow $1 mozilla_home_t:dir list_dir_perms; allow $1 mozilla_home_t:dir list_dir_perms;
allow $1 mozilla_home_t:file read_file_perms; allow $1 mozilla_home_t:file read_file_perms;
@ -2842,7 +2861,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_search_user_home_dirs($1) userdom_search_user_home_dirs($1)
') ')
@@ -83,7 +84,7 @@ @@ -83,7 +96,7 @@
') ')
allow $1 mozilla_home_t:dir list_dir_perms; allow $1 mozilla_home_t:dir list_dir_perms;
@ -2853,8 +2872,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.21/policy/modules/apps/mozilla.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.21/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-01-19 11:03:28.000000000 -0500 --- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-01-19 11:03:28.000000000 -0500
+++ serefpolicy-3.6.21/policy/modules/apps/mozilla.te 2009-07-01 10:43:35.000000000 -0400 +++ serefpolicy-3.6.21/policy/modules/apps/mozilla.te 2009-07-08 11:32:50.000000000 -0400
@@ -105,6 +105,7 @@ @@ -59,6 +59,7 @@
manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
userdom_search_user_home_dirs(mozilla_t)
+userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir)
# Mozpluggerrc
allow mozilla_t mozilla_conf_t:file read_file_perms;
@@ -97,6 +98,7 @@
corenet_tcp_connect_ftp_port(mozilla_t)
corenet_tcp_connect_ipp_port(mozilla_t)
corenet_tcp_connect_generic_port(mozilla_t)
+corenet_tcp_connect_soundd_port(mozilla_t)
corenet_sendrecv_http_client_packets(mozilla_t)
corenet_sendrecv_http_cache_client_packets(mozilla_t)
corenet_sendrecv_ftp_client_packets(mozilla_t)
@@ -105,6 +107,7 @@
# Should not need other ports # Should not need other ports
corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t) corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t)
corenet_dontaudit_tcp_bind_generic_port(mozilla_t) corenet_dontaudit_tcp_bind_generic_port(mozilla_t)
@ -2862,7 +2897,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_read_urand(mozilla_t) dev_read_urand(mozilla_t)
dev_read_rand(mozilla_t) dev_read_rand(mozilla_t)
@@ -128,6 +129,7 @@ @@ -113,6 +116,8 @@
dev_dontaudit_rw_dri(mozilla_t)
dev_getattr_sysfs_dirs(mozilla_t)
+domain_dontaudit_read_all_domains_state(mozilla_t)
+
files_read_etc_runtime_files(mozilla_t)
files_read_usr_files(mozilla_t)
files_read_etc_files(mozilla_t)
@@ -128,6 +133,7 @@
fs_rw_tmpfs_files(mozilla_t) fs_rw_tmpfs_files(mozilla_t)
term_dontaudit_getattr_pty_dirs(mozilla_t) term_dontaudit_getattr_pty_dirs(mozilla_t)
@ -2870,15 +2914,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(mozilla_t) logging_send_syslog_msg(mozilla_t)
@@ -143,6 +145,7 @@ @@ -137,12 +143,7 @@
userdom_manage_user_tmp_dirs(mozilla_t) # Browse the web, connect to printer
userdom_manage_user_tmp_files(mozilla_t) sysnet_dns_name_resolve(mozilla_t)
userdom_manage_user_tmp_sockets(mozilla_t)
-userdom_manage_user_home_content_dirs(mozilla_t)
-userdom_manage_user_home_content_files(mozilla_t)
-userdom_manage_user_home_content_symlinks(mozilla_t)
-userdom_manage_user_tmp_dirs(mozilla_t)
-userdom_manage_user_tmp_files(mozilla_t)
-userdom_manage_user_tmp_sockets(mozilla_t)
+userdom_use_user_ptys(mozilla_t) +userdom_use_user_ptys(mozilla_t)
xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t) xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files(mozilla_t) xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
@@ -243,6 +246,8 @@ @@ -239,10 +240,15 @@
optional_policy(`
dbus_system_bus_client(mozilla_t)
dbus_session_bus_client(mozilla_t)
+ optional_policy(`
+ networkmanager_dbus_chat(mozilla_t)
+ ')
')
optional_policy(` optional_policy(`
gnome_stream_connect_gconf(mozilla_t) gnome_stream_connect_gconf(mozilla_t)
@ -2887,7 +2944,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
optional_policy(` optional_policy(`
@@ -263,5 +268,10 @@ @@ -263,5 +269,10 @@
') ')
optional_policy(` optional_policy(`
@ -2916,7 +2973,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.21/policy/modules/apps/nsplugin.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.21/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 --- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.21/policy/modules/apps/nsplugin.if 2009-07-06 15:10:59.000000000 -0400 +++ serefpolicy-3.6.21/policy/modules/apps/nsplugin.if 2009-07-08 10:43:18.000000000 -0400
@@ -0,0 +1,313 @@ @@ -0,0 +1,313 @@
+ +
+## <summary>policy for nsplugin</summary> +## <summary>policy for nsplugin</summary>
@ -3784,7 +3841,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0) +/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.6.21/policy/modules/apps/pulseaudio.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.6.21/policy/modules/apps/pulseaudio.if
--- nsaserefpolicy/policy/modules/apps/pulseaudio.if 1969-12-31 19:00:00.000000000 -0500 --- nsaserefpolicy/policy/modules/apps/pulseaudio.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.21/policy/modules/apps/pulseaudio.if 2009-07-01 10:43:35.000000000 -0400 +++ serefpolicy-3.6.21/policy/modules/apps/pulseaudio.if 2009-07-08 10:50:31.000000000 -0400
@@ -0,0 +1,148 @@ @@ -0,0 +1,148 @@
+ +
+## <summary>policy for pulseaudio</summary> +## <summary>policy for pulseaudio</summary>
@ -8612,8 +8669,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_manage_user_home_content_files(webadm_t) userdom_manage_user_home_content_files(webadm_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.21/policy/modules/roles/xguest.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.21/policy/modules/roles/xguest.te
--- nsaserefpolicy/policy/modules/roles/xguest.te 2009-04-06 12:42:08.000000000 -0400 --- nsaserefpolicy/policy/modules/roles/xguest.te 2009-04-06 12:42:08.000000000 -0400
+++ serefpolicy-3.6.21/policy/modules/roles/xguest.te 2009-07-01 10:43:35.000000000 -0400 +++ serefpolicy-3.6.21/policy/modules/roles/xguest.te 2009-07-08 11:32:12.000000000 -0400
@@ -67,7 +67,11 @@ @@ -36,11 +36,17 @@
# Local policy
#
+# Dontaudit fusermount
+dontaudit xguest_t self:capability sys_admin;
+
# Allow mounting of file systems
optional_policy(`
tunable_policy(`xguest_mount_media',`
kernel_read_fs_sysctls(xguest_t)
+ # allow fusermount
+ allow xguest_t self:capability sys_admin;
+
files_dontaudit_getattr_boot_dirs(xguest_t)
files_search_mnt(xguest_t)
@@ -67,7 +73,11 @@
') ')
optional_policy(` optional_policy(`
@ -8626,7 +8701,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
optional_policy(` optional_policy(`
@@ -75,9 +79,13 @@ @@ -75,9 +85,13 @@
') ')
optional_policy(` optional_policy(`
@ -10209,15 +10284,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ +
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.6.21/policy/modules/services/apm.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.6.21/policy/modules/services/apm.te
--- nsaserefpolicy/policy/modules/services/apm.te 2009-06-26 13:59:19.000000000 -0400 --- nsaserefpolicy/policy/modules/services/apm.te 2009-06-26 13:59:19.000000000 -0400
+++ serefpolicy-3.6.21/policy/modules/services/apm.te 2009-07-01 10:43:35.000000000 -0400 +++ serefpolicy-3.6.21/policy/modules/services/apm.te 2009-07-08 10:40:06.000000000 -0400
@@ -39,6 +39,7 @@ @@ -60,7 +60,7 @@
# # mknod: controlling an orderly resume of PCMCIA requires creating device
# nodes 254,{0,1,2} for some reason.
allow apm_t self:capability { dac_override sys_admin }; allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
+dontaudit apm_t self:capability sys_ptrace; -dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_tty_config };
+dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
kernel_read_system_state(apm_t) allow apmd_t self:process { signal_perms getsession };
allow apmd_t self:fifo_file rw_fifo_file_perms;
allow apmd_t self:unix_dgram_socket create_socket_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.6.21/policy/modules/services/automount.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.6.21/policy/modules/services/automount.if
--- nsaserefpolicy/policy/modules/services/automount.if 2008-10-14 11:58:09.000000000 -0400 --- nsaserefpolicy/policy/modules/services/automount.if 2008-10-14 11:58:09.000000000 -0400
+++ serefpolicy-3.6.21/policy/modules/services/automount.if 2009-07-01 10:43:35.000000000 -0400 +++ serefpolicy-3.6.21/policy/modules/services/automount.if 2009-07-01 10:43:35.000000000 -0400
@ -17486,7 +17562,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+') +')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.21/policy/modules/services/postgresql.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.21/policy/modules/services/postgresql.te
--- nsaserefpolicy/policy/modules/services/postgresql.te 2009-06-26 13:59:19.000000000 -0400 --- nsaserefpolicy/policy/modules/services/postgresql.te 2009-06-26 13:59:19.000000000 -0400
+++ serefpolicy-3.6.21/policy/modules/services/postgresql.te 2009-07-01 10:43:36.000000000 -0400 +++ serefpolicy-3.6.21/policy/modules/services/postgresql.te 2009-07-07 16:27:00.000000000 -0400
@@ -32,6 +32,9 @@ @@ -32,6 +32,9 @@
type postgresql_etc_t; type postgresql_etc_t;
files_config_file(postgresql_etc_t) files_config_file(postgresql_etc_t)
@ -17517,6 +17593,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_sendrecv_postgresql_server_packets(postgresql_t) corenet_sendrecv_postgresql_server_packets(postgresql_t)
corenet_sendrecv_auth_client_packets(postgresql_t) corenet_sendrecv_auth_client_packets(postgresql_t)
@@ -247,6 +253,7 @@
init_read_utmp(postgresql_t)
logging_send_syslog_msg(postgresql_t)
+logging_send_audit_msgs(postgresql_t)
miscfiles_read_localization(postgresql_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.6.21/policy/modules/services/ppp.fc diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.6.21/policy/modules/services/ppp.fc
--- nsaserefpolicy/policy/modules/services/ppp.fc 2008-09-11 11:28:34.000000000 -0400 --- nsaserefpolicy/policy/modules/services/ppp.fc 2008-09-11 11:28:34.000000000 -0400
+++ serefpolicy-3.6.21/policy/modules/services/ppp.fc 2009-07-01 10:43:36.000000000 -0400 +++ serefpolicy-3.6.21/policy/modules/services/ppp.fc 2009-07-01 10:43:36.000000000 -0400
@ -19565,7 +19649,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+') +')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.21/policy/modules/services/sendmail.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.21/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2009-01-19 11:06:49.000000000 -0500 --- nsaserefpolicy/policy/modules/services/sendmail.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.21/policy/modules/services/sendmail.te 2009-07-01 10:43:36.000000000 -0400 +++ serefpolicy-3.6.21/policy/modules/services/sendmail.te 2009-07-07 17:16:43.000000000 -0400
@@ -20,13 +20,17 @@ @@ -20,13 +20,17 @@
mta_mailserver_delivery(sendmail_t) mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t) mta_mailserver_sender(sendmail_t)
@ -19732,7 +19816,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ +
+optional_policy(` +optional_policy(`
+ mta_etc_filetrans_aliases(unconfined_sendmail_t) + mta_etc_filetrans_aliases(unconfined_sendmail_t)
+ unconfined_domain(unconfined_sendmail_t) + unconfined_domain_noaudit(unconfined_sendmail_t)
+') +')
-dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl }; -dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
@ -22746,7 +22830,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ +
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.21/policy/modules/services/xserver.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.21/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-06-26 13:59:19.000000000 -0400 --- nsaserefpolicy/policy/modules/services/xserver.te 2009-06-26 13:59:19.000000000 -0400
+++ serefpolicy-3.6.21/policy/modules/services/xserver.te 2009-07-07 15:47:58.000000000 -0400 +++ serefpolicy-3.6.21/policy/modules/services/xserver.te 2009-07-08 10:50:38.000000000 -0400
@@ -34,6 +34,13 @@ @@ -34,6 +34,13 @@
## <desc> ## <desc>
@ -23173,7 +23257,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
hostname_exec(xdm_t) hostname_exec(xdm_t)
') ')
@@ -542,6 +650,28 @@ @@ -542,6 +650,29 @@
') ')
optional_policy(` optional_policy(`
@ -23185,6 +23269,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ +
+optional_policy(` +optional_policy(`
+ pulseaudio_exec(xdm_t) + pulseaudio_exec(xdm_t)
+ pulseaudio_dbus_chat(xdm_t)
+') +')
+ +
+# On crash gdm execs gdb to dump stack +# On crash gdm execs gdb to dump stack
@ -23202,7 +23287,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole(xdm_t) seutil_sigchld_newrole(xdm_t)
') ')
@@ -550,8 +680,9 @@ @@ -550,8 +681,9 @@
') ')
optional_policy(` optional_policy(`
@ -23214,7 +23299,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifndef(`distro_redhat',` ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem }; allow xdm_t self:process { execheap execmem };
@@ -560,7 +691,6 @@ @@ -560,7 +692,6 @@
ifdef(`distro_rhel4',` ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem }; allow xdm_t self:process { execheap execmem };
') ')
@ -23222,7 +23307,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(` optional_policy(`
userhelper_dontaudit_search_config(xdm_t) userhelper_dontaudit_search_config(xdm_t)
@@ -571,6 +701,10 @@ @@ -571,6 +702,10 @@
') ')
optional_policy(` optional_policy(`
@ -23233,7 +23318,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
xfs_stream_connect(xdm_t) xfs_stream_connect(xdm_t)
') ')
@@ -587,7 +721,7 @@ @@ -587,7 +722,7 @@
# execheap needed until the X module loader is fixed. # execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack # NVIDIA Needs execstack
@ -23242,7 +23327,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dontaudit xserver_t self:capability chown; dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:memprotect mmap_zero; allow xserver_t self:memprotect mmap_zero;
@@ -602,9 +736,11 @@ @@ -602,9 +737,11 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms; allow xserver_t self:udp_socket create_socket_perms;
@ -23254,7 +23339,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow xserver_t { input_xevent_t input_xevent_type }:x_event send; allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
@@ -616,13 +752,14 @@ @@ -616,13 +753,14 @@
type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t; type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t;
allow xserver_t { rootwindow_t x_domain }:x_drawable send; allow xserver_t { rootwindow_t x_domain }:x_drawable send;
@ -23270,7 +23355,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
@@ -635,9 +772,19 @@ @@ -635,9 +773,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t) files_search_var_lib(xserver_t)
@ -23290,7 +23375,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_system_state(xserver_t) kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t) kernel_read_device_sysctls(xserver_t)
@@ -680,9 +827,14 @@ @@ -680,9 +828,14 @@
dev_rw_xserver_misc(xserver_t) dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events # read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t) dev_rw_input_dev(xserver_t)
@ -23305,7 +23390,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(xserver_t) files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t) files_read_etc_runtime_files(xserver_t)
@@ -697,8 +849,12 @@ @@ -697,8 +850,12 @@
fs_search_nfs(xserver_t) fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t) fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t) fs_search_ramfs(xserver_t)
@ -23318,7 +23403,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
selinux_validate_context(xserver_t) selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t) selinux_compute_access_vector(xserver_t)
@@ -720,6 +876,7 @@ @@ -720,6 +877,7 @@
miscfiles_read_localization(xserver_t) miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t) miscfiles_read_fonts(xserver_t)
@ -23326,7 +23411,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
modutils_domtrans_insmod(xserver_t) modutils_domtrans_insmod(xserver_t)
@@ -742,7 +899,7 @@ @@ -742,7 +900,7 @@
') ')
ifdef(`enable_mls',` ifdef(`enable_mls',`
@ -23335,7 +23420,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh; range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
') ')
@@ -774,12 +931,20 @@ @@ -774,12 +932,20 @@
') ')
optional_policy(` optional_policy(`
@ -23357,7 +23442,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
unconfined_domtrans(xserver_t) unconfined_domtrans(xserver_t)
') ')
@@ -806,7 +971,7 @@ @@ -806,7 +972,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read }; allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search; dontaudit xserver_t xdm_var_lib_t:dir search;
@ -23366,7 +23451,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Label pid and temporary files with derived types. # Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
@@ -827,9 +992,14 @@ @@ -827,9 +993,14 @@
# to read ROLE_home_t - examine this in more detail # to read ROLE_home_t - examine this in more detail
# (xauth?) # (xauth?)
userdom_read_user_home_content_files(xserver_t) userdom_read_user_home_content_files(xserver_t)
@ -23381,7 +23466,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`use_nfs_home_dirs',` tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t) fs_manage_nfs_files(xserver_t)
@@ -844,11 +1014,14 @@ @@ -844,11 +1015,14 @@
optional_policy(` optional_policy(`
dbus_system_bus_client(xserver_t) dbus_system_bus_client(xserver_t)
@ -23397,7 +23482,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
optional_policy(` optional_policy(`
@@ -856,6 +1029,11 @@ @@ -856,6 +1030,11 @@
rhgb_rw_tmpfs_files(xserver_t) rhgb_rw_tmpfs_files(xserver_t)
') ')
@ -23409,7 +23494,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
######################################## ########################################
# #
# Rules common to all X window domains # Rules common to all X window domains
@@ -881,6 +1059,8 @@ @@ -881,6 +1060,8 @@
# X Server # X Server
# can read server-owned resources # can read server-owned resources
allow x_domain xserver_t:x_resource read; allow x_domain xserver_t:x_resource read;
@ -23418,7 +23503,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# can mess with own clients # can mess with own clients
allow x_domain self:x_client { manage destroy }; allow x_domain self:x_client { manage destroy };
@@ -905,6 +1085,8 @@ @@ -905,6 +1086,8 @@
# operations allowed on my windows # operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@ -23427,7 +23512,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# X Colormaps # X Colormaps
# can use the default colormap # can use the default colormap
allow x_domain rootwindow_t:x_colormap { read use add_color }; allow x_domain rootwindow_t:x_colormap { read use add_color };
@@ -972,17 +1154,49 @@ @@ -972,17 +1155,49 @@
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@ -27864,7 +27949,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.21/policy/modules/system/userdomain.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.21/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-06-26 13:59:21.000000000 -0400 --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-06-26 13:59:21.000000000 -0400
+++ serefpolicy-3.6.21/policy/modules/system/userdomain.if 2009-07-01 10:43:36.000000000 -0400 +++ serefpolicy-3.6.21/policy/modules/system/userdomain.if 2009-07-08 11:19:36.000000000 -0400
@@ -30,8 +30,9 @@ @@ -30,8 +30,9 @@
') ')

View File

@ -20,7 +20,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.6.21 Version: 3.6.21
Release: 2%{?dist} Release: 3%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -475,6 +475,9 @@ exit 0
%endif %endif
%changelog %changelog
* Wed Jul 8 2009 Dan Walsh <dwalsh@redhat.com> 3.6.21-3
- Fixes for xguest
* Tue Jul 7 2009 Tom "spot" Callaway <tcallawa@redhat.com> 3.6.21-2 * Tue Jul 7 2009 Tom "spot" Callaway <tcallawa@redhat.com> 3.6.21-2
- fix multiple directory ownership of mandirs - fix multiple directory ownership of mandirs