- Add devicekit policy

2009-01-19 22:34:56 +00:00 · 2009-01-19 22:34:56 +00:00 · acc137684b
commit acc137684b
parent 9317a606e1
4 changed files with 58 additions and 45 deletions
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@ -340,6 +340,13 @@ dcc = module
 # 
 ddcprobe = off
 # Layer: services
 # Module: devicekit
 #
 # devicekit-daemon
 # 
 devicekit = module
 # Layer: kernel
 # Module: devices
 # Required in base
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@ -340,6 +340,13 @@ dcc = module
 # 
 ddcprobe = off
 # Layer: services
 # Module: devicekit
 #
 # devicekit-daemon
 # 
 devicekit = module
 # Layer: kernel
 # Module: devices
 # Required in base
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@ -8349,7 +8349,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.3/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/apache.te	2009-01-19 17:10:55.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/apache.te	2009-01-19 17:34:22.000000000 -0500
@@ -19,6 +19,8 @@
 # Declarations
 #
@ -8444,16 +8444,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 type httpd_tmp_t;
 files_tmp_file(httpd_tmp_t)
-@@ -187,15 +233,22 @@
+@@ -187,15 +233,20 @@
 files_tmpfs_file(httpd_tmpfs_t)
 apache_content_template(user)
 +
 ubac_constrained(httpd_user_script_t)
-+typeattribute httpd_user_content_t, httpdcontent;
+typeattribute httpd_user_content_t httpdcontent;
-+typeattribute httpd_user_content_rw_t, httpdcontent;
+typeattribute httpd_user_content_rw_t httpdcontent;
-+typeattribute httpd_user_content_ra_t, httpdcontent;
+typeattribute httpd_user_content_ra_t httpdcontent;
 +typeattribute httpd_user_script_exec_t, httpdcontent;
 +
 userdom_user_home_content(httpd_user_content_t)
 userdom_user_home_content(httpd_user_htaccess_t)
@ -8462,7 +8461,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -userdom_user_home_content(httpd_user_script_ro_t)
 -userdom_user_home_content(httpd_user_script_rw_t)
 +userdom_user_home_content(httpd_user_content_ra_t)
 +userdom_user_home_content(httpd_user_content_ro_t)
 +userdom_user_home_content(httpd_user_content_rw_t)
 typeattribute httpd_user_script_t httpd_script_domains;
 typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
@ -8470,7 +8468,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
 typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t };
 typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t };
-@@ -230,7 +283,7 @@
+@@ -230,7 +281,7 @@
 # Apache server local policy
 #
@ -8479,7 +8477,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 dontaudit httpd_t self:capability { net_admin sys_tty_config };
 allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow httpd_t self:fd use;
-@@ -272,6 +325,7 @@
+@@ -272,6 +323,7 @@
 allow httpd_t httpd_modules_t:dir list_dir_perms;
 mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
 read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
@ -8487,7 +8485,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 apache_domtrans_rotatelogs(httpd_t)
 # Apache-httpd needs to be able to send signals to the log rotate procs.
-@@ -283,9 +337,9 @@
+@@ -283,9 +335,9 @@
 allow httpd_t httpd_suexec_exec_t:file read_file_perms;
@ -8500,7 +8498,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
 manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -301,6 +355,7 @@
+@@ -301,6 +353,7 @@
 manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
 files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
@ -8508,7 +8506,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
 manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
 files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file })
-@@ -312,6 +367,7 @@
+@@ -312,6 +365,7 @@
 kernel_read_kernel_sysctls(httpd_t)
 # for modules that want to access /proc/meminfo
 kernel_read_system_state(httpd_t)
@ -8516,7 +8514,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 corenet_all_recvfrom_unlabeled(httpd_t)
 corenet_all_recvfrom_netlabel(httpd_t)
-@@ -322,6 +378,7 @@
+@@ -322,6 +376,7 @@
 corenet_tcp_sendrecv_all_ports(httpd_t)
 corenet_udp_sendrecv_all_ports(httpd_t)
 corenet_tcp_bind_generic_node(httpd_t)
@ -8524,7 +8522,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 corenet_tcp_bind_http_port(httpd_t)
 corenet_tcp_bind_http_cache_port(httpd_t)
 corenet_sendrecv_http_server_packets(httpd_t)
-@@ -335,12 +392,12 @@
+@@ -335,12 +390,12 @@
 fs_getattr_all_fs(httpd_t)
 fs_search_auto_mountpoints(httpd_t)
@ -8540,7 +8538,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 domain_use_interactive_fds(httpd_t)
-@@ -358,6 +415,10 @@
+@@ -358,6 +413,10 @@
 files_read_var_lib_symlinks(httpd_t)
 fs_search_auto_mountpoints(httpd_sys_script_t)
@ -8551,7 +8549,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 libs_read_lib_files(httpd_t)
-@@ -372,18 +433,33 @@
+@@ -372,18 +431,33 @@
 userdom_use_unpriv_users_fds(httpd_t)
@ -8589,7 +8587,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ')
-@@ -391,20 +467,54 @@
+@@ -391,20 +465,54 @@
 	corenet_tcp_connect_all_ports(httpd_t)
 ')
@ -8645,7 +8643,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
 	manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -415,20 +525,28 @@
+@@ -415,20 +523,28 @@
 	corenet_tcp_bind_ftp_port(httpd_t)
 ')
@ -8678,7 +8676,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 tunable_policy(`httpd_ssi_exec',`
 	corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
 	allow httpd_sys_script_t httpd_t:fd use;
-@@ -459,8 +577,13 @@
+@@ -459,8 +575,13 @@
 ')
 optional_policy(`
@ -8694,7 +8692,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -472,18 +595,13 @@
+@@ -472,18 +593,13 @@
 ')
 optional_policy(`
@ -8714,7 +8712,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -493,6 +611,12 @@
+@@ -493,6 +609,12 @@
 	openca_kill(httpd_t)
 ')
@ -8727,7 +8725,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 	# Allow httpd to work with postgresql
 	postgresql_stream_connect(httpd_t)
-@@ -500,6 +624,7 @@
+@@ -500,6 +622,7 @@
 	tunable_policy(`httpd_can_network_connect_db',`
 		postgresql_tcp_connect(httpd_t)
@ -8735,7 +8733,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 ')
-@@ -508,6 +633,7 @@
+@@ -508,6 +631,7 @@
 ')
 optional_policy(`
@ -8743,7 +8741,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
 	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
 ')
-@@ -535,6 +661,22 @@
+@@ -535,6 +659,22 @@
 userdom_use_user_terminals(httpd_helper_t)
@ -8766,7 +8764,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # Apache PHP script local policy
-@@ -564,20 +706,25 @@
+@@ -564,20 +704,25 @@
 fs_search_auto_mountpoints(httpd_php_t)
@ -8798,7 +8796,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -595,23 +742,24 @@
+@@ -595,23 +740,24 @@
 append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
 read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
@ -8827,7 +8825,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 files_read_etc_files(httpd_suexec_t)
 files_read_usr_files(httpd_suexec_t)
-@@ -624,6 +772,7 @@
+@@ -624,6 +770,7 @@
 logging_send_syslog_msg(httpd_suexec_t)
 miscfiles_read_localization(httpd_suexec_t)
@ -8835,20 +8833,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 tunable_policy(`httpd_can_network_connect',`
 	allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
-@@ -641,12 +790,25 @@
+@@ -641,12 +788,23 @@
 	corenet_sendrecv_all_client_packets(httpd_suexec_t)
 ')
 +read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
 +read_files_pattern(httpd_suexec_t, httpd_user_script_rw_t, httpd_user_script_rw_t)
 +read_files_pattern(httpd_suexec_t, httpd_user_script_ro_t, httpd_user_script_ro_t)
 +read_files_pattern(httpd_suexec_t, httpd_user_script_ra_t, httpd_user_script_ra_t)
 +
 +domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
 tunable_policy(`httpd_enable_cgi && httpd_unified',`
 	domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
 +	domtrans_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_script_t)
 +	domtrans_pattern(httpd_suexec_t, httpd_user_script_ro_t, httpd_user_script_t)
 +	domtrans_pattern(httpd_suexec_t, httpd_user_script_ra_t, httpd_user_script_t)
 +	domtrans_pattern(httpd_suexec_t, httpd_user_script_rw_t, httpd_user_script_t)
 +
@ -8864,7 +8860,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -655,6 +817,12 @@
+@@ -655,6 +813,12 @@
 	fs_exec_nfs_files(httpd_suexec_t)
 ')
@ -8877,7 +8873,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
 	fs_read_cifs_files(httpd_suexec_t)
 	fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -672,15 +840,14 @@
+@@ -672,15 +836,14 @@
 	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
 ')
@ -8896,7 +8892,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow httpd_sys_script_t httpd_t:tcp_socket { read write };
 dontaudit httpd_sys_script_t httpd_config_t:dir search;
-@@ -699,12 +866,24 @@
+@@ -699,12 +862,24 @@
 # Should we add a boolean?
 apache_domtrans_rotatelogs(httpd_sys_script_t)
@ -8923,7 +8919,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -712,6 +891,35 @@
+@@ -712,6 +887,35 @@
 	fs_read_nfs_symlinks(httpd_sys_script_t)
 ')
@ -8959,7 +8955,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
 	fs_read_cifs_files(httpd_sys_script_t)
 	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -724,6 +932,10 @@
+@@ -724,6 +928,10 @@
 optional_policy(`
 	mysql_stream_connect(httpd_sys_script_t)
 	mysql_rw_db_sockets(httpd_sys_script_t)
@ -8970,7 +8966,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -735,6 +947,8 @@
+@@ -735,6 +943,8 @@
 # httpd_rotatelogs local policy
 #
@ -8979,7 +8975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
 kernel_read_kernel_sysctls(httpd_rotatelogs_t)
-@@ -754,6 +968,9 @@
+@@ -754,6 +964,9 @@
 tunable_policy(`httpd_enable_cgi && httpd_unified',`
 	allow httpd_user_script_t httpdcontent:file entrypoint;
@ -8989,7 +8985,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 # allow accessing files/dirs below the users home dir
-@@ -762,3 +979,66 @@
+@@ -762,3 +975,66 @@
 	userdom_search_user_home_dirs(httpd_suexec_t)
 	userdom_search_user_home_dirs(httpd_user_script_t)
 ')
@ -11422,7 +11418,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/run/devkit(/.*)?			gen_context(system_u:object_r:devicekit_var_run_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.3/policy/modules/services/devicekit.if
 --- nsaserefpolicy/policy/modules/services/devicekit.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/devicekit.if	2009-01-19 17:09:09.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/devicekit.if	2009-01-19 17:17:14.000000000 -0500
@@ -0,0 +1,139 @@
 +
 +## <summary>policy for devicekit</summary>
@ -11521,7 +11517,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +#
 +interface(`devicekit_power_dbus_chat',`
 +	gen_require(`
-+		type devicekit_t;
+		type devicekit_power_t;
 +		class dbus send_msg;
 +	')
 +
@ -20523,14 +20519,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ## <param name="domain">
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.3/policy/modules/services/squid.te
 --- nsaserefpolicy/policy/modules/services/squid.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/squid.te	2009-01-19 15:16:22.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/squid.te	2009-01-19 17:24:18.000000000 -0500
@@ -118,6 +118,9 @@
 fs_getattr_all_fs(squid_t)
 fs_search_auto_mountpoints(squid_t)
 +#squid requires the following when run in diskd mode, the recommended setting
 +fs_rw_tmpfs_files(squid_t)
-+fs_list_inotify(squid_t)
+fs_list_inotifyfs(squid_t)
 selinux_dontaudit_getattr_dir(squid_t)
@ -26410,7 +26406,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.3/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/userdomain.if	2009-01-19 17:08:20.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/system/userdomain.if	2009-01-19 17:15:36.000000000 -0500
@@ -30,8 +30,9 @@
 	')
@ -26979,7 +26975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 		optional_policy(`
 -			hal_dbus_chat($1_t)
-+			devkit_power_dbus_chat($1_usertype)
+			devicekit_power_dbus_chat($1_usertype)
 		')
 		optional_policy(`
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.3
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -445,6 +445,9 @@ exit 0
 %endif
 %changelog
 * Mon Jan 19 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-2
 - Add devicekit policy
 * Mon Jan 19 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-1
 - Update to upstream