- Merge with upstream

2010-08-27 10:21:25 -04:00 · 2010-08-27 10:21:25 -04:00 · acb1aed3a4
commit acb1aed3a4
parent 59475c2524
1 changed files with 26 additions and 36 deletions
--- a/policy-F14.patch
+++ b/policy-F14.patch
@ -9046,18 +9046,9 @@ index 252913b..a1bbe8f 100644
 	consoletype_exec(auditadm_t)
 ')
 diff --git a/policy/modules/roles/dbadm.te b/policy/modules/roles/dbadm.te
-index 1875064..a3ddd43 100644
+index 1875064..20d9333 100644
 --- a/policy/modules/roles/dbadm.te
 +++ b/policy/modules/roles/dbadm.te
@@ -21,7 +21,7 @@ gen_tunable(dbadm_read_user_files, false)
 role dbadm_r;
 -userdom_base_user_template(dbadm)
 +userdom_unpriv_user_template(dbadm)
 ########################################
 #
@@ -58,3 +58,7 @@ optional_policy(`
 optional_policy(`
 	postgresql_admin(dbadm_t, dbadm_r)
@ -26171,7 +26162,7 @@ index 6f1e3c7..39c2bb3 100644
 +/var/lib/pqsql/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +
 diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index da2601a..8696a6e 100644
+index da2601a..6ff8f25 100644
 --- a/policy/modules/services/xserver.if
 +++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@ -26229,15 +26220,13 @@ index da2601a..8696a6e 100644
 	# Client read xserver shm
 	allow $2 xserver_t:fd use;
-@@ -89,14 +99,19 @@ interface(`xserver_restricted_role',`
+@@ -89,14 +99,17 @@ interface(`xserver_restricted_role',`
 	dev_write_misc($2)
 	# open office is looking for the following
 	dev_getattr_agp_dev($2)
 -	dev_dontaudit_rw_dri($2)
 +	tunable_policy(`user_direct_dri',`
 +		dev_rw_dri($2)
 +	',`
 +		dev_dontaudit_rw_dri($2)
 +	')
 +
 	# GNOME checks for usb and other devices:
@ -26251,7 +26240,7 @@ index da2601a..8696a6e 100644
 	xserver_xsession_entry_type($2)
 	xserver_dontaudit_write_log($2)
 	xserver_stream_connect_xdm($2)
-@@ -148,6 +163,7 @@ interface(`xserver_role',`
+@@ -148,6 +161,7 @@ interface(`xserver_role',`
 	allow $2 xauth_home_t:file manage_file_perms;
 	allow $2 xauth_home_t:file { relabelfrom relabelto };
@ -26259,7 +26248,7 @@ index da2601a..8696a6e 100644
 	manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
 	manage_files_pattern($2, user_fonts_t, user_fonts_t)
 	relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
-@@ -197,7 +213,7 @@ interface(`xserver_ro_session',`
+@@ -197,7 +211,7 @@ interface(`xserver_ro_session',`
 	allow $1 xserver_t:process signal;
 	# Read /tmp/.X0-lock
@ -26268,7 +26257,7 @@ index da2601a..8696a6e 100644
 	# Client read xserver shm
 	allow $1 xserver_t:fd use;
-@@ -291,12 +307,12 @@ interface(`xserver_user_client',`
+@@ -291,12 +305,12 @@ interface(`xserver_user_client',`
 	allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
 	# Read .Xauthority file
@ -26284,7 +26273,7 @@ index da2601a..8696a6e 100644
 	allow $1 xdm_tmp_t:dir search;
 	allow $1 xdm_tmp_t:sock_file { read write };
 	dontaudit $1 xdm_t:tcp_socket { read write };
-@@ -355,6 +371,12 @@ template(`xserver_common_x_domain_template',`
+@@ -355,6 +369,12 @@ template(`xserver_common_x_domain_template',`
 		class x_property all_x_property_perms;
 		class x_event all_x_event_perms;
 		class x_synthetic_event all_x_synthetic_event_perms;
@ -26297,7 +26286,7 @@ index da2601a..8696a6e 100644
 	')
 	##############################
-@@ -386,6 +408,15 @@ template(`xserver_common_x_domain_template',`
+@@ -386,6 +406,15 @@ template(`xserver_common_x_domain_template',`
 	allow $2 xevent_t:{ x_event x_synthetic_event } receive;
 	# dont audit send failures
 	dontaudit $2 input_xevent_type:x_event send;
@ -26313,7 +26302,7 @@ index da2601a..8696a6e 100644
 ')
 #######################################
-@@ -476,6 +507,7 @@ template(`xserver_user_x_domain_template',`
+@@ -476,6 +505,7 @@ template(`xserver_user_x_domain_template',`
 	xserver_use_user_fonts($2)
 	xserver_read_xdm_tmp_files($2)
@ -26321,7 +26310,7 @@ index da2601a..8696a6e 100644
 	# X object manager
 	xserver_object_types_template($1)
-@@ -545,6 +577,27 @@ interface(`xserver_domtrans_xauth',`
+@@ -545,6 +575,27 @@ interface(`xserver_domtrans_xauth',`
 	')
 	domtrans_pattern($1, xauth_exec_t, xauth_t)
@ -26349,7 +26338,7 @@ index da2601a..8696a6e 100644
 ')
 ########################################
-@@ -598,6 +651,7 @@ interface(`xserver_read_user_xauth',`
+@@ -598,6 +649,7 @@ interface(`xserver_read_user_xauth',`
 	allow $1 xauth_home_t:file read_file_perms;
 	userdom_search_user_home_dirs($1)
@ -26357,7 +26346,7 @@ index da2601a..8696a6e 100644
 ')
 ########################################
-@@ -725,10 +779,12 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
+@@ -725,10 +777,12 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
 interface(`xserver_stream_connect_xdm',`
 	gen_require(`
 		type xdm_t, xdm_tmp_t;
@ -26370,7 +26359,7 @@ index da2601a..8696a6e 100644
 ')
 ########################################
-@@ -805,7 +861,7 @@ interface(`xserver_read_xdm_pid',`
+@@ -805,7 +859,7 @@ interface(`xserver_read_xdm_pid',`
 	')
 	files_search_pids($1)
@ -26379,7 +26368,7 @@ index da2601a..8696a6e 100644
 ')
 ########################################
-@@ -916,7 +972,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -916,7 +970,7 @@ interface(`xserver_dontaudit_write_log',`
 		type xserver_log_t;
 	')
@ -26388,7 +26377,7 @@ index da2601a..8696a6e 100644
 ')
 ########################################
-@@ -963,6 +1019,44 @@ interface(`xserver_read_xkb_libs',`
+@@ -963,6 +1017,44 @@ interface(`xserver_read_xkb_libs',`
 ########################################
 ## <summary>
@ -26433,7 +26422,7 @@ index da2601a..8696a6e 100644
 ##	Read xdm temporary files.
 ## </summary>
 ## <param name="domain">
-@@ -1224,9 +1318,20 @@ interface(`xserver_manage_core_devices',`
+@@ -1224,9 +1316,20 @@ interface(`xserver_manage_core_devices',`
 		class x_device all_x_device_perms;
 		class x_pointer all_x_pointer_perms;
 		class x_keyboard all_x_keyboard_perms;
@ -26454,7 +26443,7 @@ index da2601a..8696a6e 100644
 ')
 ########################################
-@@ -1250,3 +1355,329 @@ interface(`xserver_unconfined',`
+@@ -1250,3 +1353,329 @@ interface(`xserver_unconfined',`
 	typeattribute $1 x_domain;
 	typeattribute $1 xserver_unconfined_type;
 ')
@ -29001,7 +28990,7 @@ index f6aafe7..7da8294 100644
 +	allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index bd45076..a1b6d56 100644
+index bd45076..a100eb6 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
@@ -16,6 +16,27 @@ gen_require(`
@ -29115,7 +29104,7 @@ index bd45076..a1b6d56 100644
 	corecmd_shell_domtrans(init_t, initrc_t)
 ',`
 	# Run the shell in the sysadm role for single-user mode.
-@@ -185,15 +216,80 @@ tunable_policy(`init_upstart',`
+@@ -185,23 +216,92 @@ tunable_policy(`init_upstart',`
 	sysadm_shell_domtrans(init_t)
 ')
@ -29164,11 +29153,6 @@ index bd45076..a1b6d56 100644
 +	init_read_script_state(init_t)
 +
 +	seutil_read_file_contexts(init_t)
 +
 +	optional_policy(`
 +		plymouthd_stream_connect(init_t)
 +		plymouthd_exec_plymouth(init_t)
 +	')
 +')
 +
 optional_policy(`
@ -29196,7 +29180,13 @@ index bd45076..a1b6d56 100644
 	nscd_socket_use(init_t)
 ')
-@@ -202,6 +298,10 @@ optional_policy(`
+ optional_policy(`
 +	plymouthd_stream_connect(init_t)
 +	plymouthd_exec_plymouth(init_t)
 +')
 +
 +optional_policy(`
 	sssd_stream_connect(init_t)
 ')
 optional_policy(`