- Allow login programs to talk dbus to oddjob

2008-01-21 21:42:26 +00:00 · 2008-01-21 21:42:26 +00:00 · b3c8a04083
parent 98f84cb0ed
commit b3c8a04083
2 changed files with 67 additions and 35 deletions
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@ -1463,7 +1463,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s
 #######################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.2.5/policy/modules/admin/tmpreaper.te
 --- nsaserefpolicy/policy/modules/admin/tmpreaper.te	2007-10-02 09:54:52.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/admin/tmpreaper.te	2008-01-18 12:40:46.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/admin/tmpreaper.te	2008-01-21 13:29:12.000000000 -0500
@@ -28,6 +28,7 @@
 files_purge_tmp(tmpreaper_t)
 # why does it need setattr?
@ -1472,10 +1472,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap
 
 mls_file_read_all_levels(tmpreaper_t)
 mls_file_write_all_levels(tmpreaper_t)
-@@ -43,5 +44,10 @@
+@@ -43,5 +44,14 @@
 cron_system_entry(tmpreaper_t,tmpreaper_exec_t)
 
 optional_policy(`
+	amavis_manage_spool_files(tmpreaper_t)
+')
+
+optional_policy(`
 +	kismet_manage_log(tmpreaper_t)
 +')
 +
@ -3161,7 +3165,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
 # /bin
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.2.5/policy/modules/apps/mozilla.if
 --- nsaserefpolicy/policy/modules/apps/mozilla.if	2007-10-29 07:52:48.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/apps/mozilla.if	2008-01-18 12:40:46.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/apps/mozilla.if	2008-01-21 12:59:29.000000000 -0500
@@ -35,7 +35,10 @@
 template(`mozilla_per_role_template',`
 	gen_require(`
@ -3275,9 +3279,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
 +	tunable_policy(`browser_write_$1_data',`
 +		userdom_manage_user_home_content_dirs($1,$1_mozilla_t)
 +		userdom_manage_user_home_content_files($1,$1_mozilla_t)
-+		userdom_read_user_home_content_symlinks($1,$1_mozilla_t)
+		userdom_manage_user_home_content_symlinks($1,$1_mozilla_t)
 +		userdom_manage_user_home_content_pipes($1,$1_mozilla_t)
-+		userdom_user_home_dir_filetrans_user_home_content($1,$1_mozilla_t, { file dir })
+		userdom_user_home_dir_filetrans_user_home_content($1,$1_mozilla_t, { file dir lnk_file })
 +		', `
 +		# helper apps will try to create .files
 +		userdom_dontaudit_create_user_home_content_files($1,$1_mozilla_t)
@ -3487,14 +3491,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
 -		dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t)
 +#		dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t)
 +#		dbus_connectto_user_bus($1,$1_mozilla_t)
-+	')
-+
-+	optional_policy(`
-+		gnome_exec_gconf($1_mozilla_t)
-+		gnome_manage_user_gnome_config($1,$1_mozilla_t)
 	')
 
 	optional_policy(`
+		gnome_exec_gconf($1_mozilla_t)
+		gnome_manage_user_gnome_config($1,$1_mozilla_t)
+	')
+
+	optional_policy(`
 +		gnome_domtrans_user_gconf($1,$1_mozilla_t)
 		gnome_stream_connect_gconf_template($1,$1_mozilla_t)
 	')
@ -7559,7 +7563,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cann
 # Local policy
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.2.5/policy/modules/services/clamav.fc
 --- nsaserefpolicy/policy/modules/services/clamav.fc	2007-09-05 15:24:44.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/clamav.fc	2008-01-18 12:40:46.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/clamav.fc	2008-01-21 14:43:52.000000000 -0500
@@ -5,16 +5,20 @@
 /usr/bin/freshclam		--	gen_context(system_u:object_r:freshclam_exec_t,s0)
 
@ -7582,7 +7586,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
 
 /var/spool/amavisd/clamd\.sock	-s	gen_context(system_u:object_r:clamd_var_run_t,s0)
 +
-+/etc/rc.d/init.d/clamd-wrapper	--	gen_context(system_u:object_r:clamav_script_exec_t,s0)
+/etc/rc.d/init.d/clamd-wrapper	--	gen_context(system_u:object_r:clamd_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-3.2.5/policy/modules/services/clamav.if
 --- nsaserefpolicy/policy/modules/services/clamav.if	2007-01-02 12:57:43.000000000 -0500
 +++ serefpolicy-3.2.5/policy/modules/services/clamav.if	2008-01-18 17:11:50.000000000 -0500
@ -9072,7 +9076,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru
 # Local policy
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.5/policy/modules/services/dbus.if
 --- nsaserefpolicy/policy/modules/services/dbus.if	2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/dbus.if	2008-01-18 14:09:48.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/dbus.if	2008-01-21 14:38:27.000000000 -0500
@@ -53,6 +53,7 @@
 	gen_require(`
 		type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
@ -10453,7 +10457,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.2.5/policy/modules/services/fail2ban.te
 --- nsaserefpolicy/policy/modules/services/fail2ban.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/fail2ban.te	2008-01-18 12:40:46.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/fail2ban.te	2008-01-21 13:50:35.000000000 -0500
@@ -18,6 +18,9 @@
 type fail2ban_var_run_t;
 files_pid_file(fail2ban_var_run_t)
@ -10464,6 +10468,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail
 ########################################
 #
 # fail2ban local policy
+@@ -55,6 +58,8 @@
+ 
+ miscfiles_read_localization(fail2ban_t)
+ 
+mta_send_mail(fail2ban_t)
+
+ optional_policy(`
+ 	apache_read_log(fail2ban_t)
+ ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.fc serefpolicy-3.2.5/policy/modules/services/fetchmail.fc
 --- nsaserefpolicy/policy/modules/services/fetchmail.fc	2006-11-16 17:15:21.000000000 -0500
 +++ serefpolicy-3.2.5/policy/modules/services/fetchmail.fc	2008-01-18 12:40:46.000000000 -0500
@ -10788,7 +10801,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.2.5/policy/modules/services/hal.te
 --- nsaserefpolicy/policy/modules/services/hal.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/hal.te	2008-01-18 12:40:46.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/hal.te	2008-01-21 13:37:54.000000000 -0500
@@ -49,6 +49,9 @@
 type hald_var_lib_t;
 files_type(hald_var_lib_t)
@ -10825,7 +10838,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 storage_raw_read_removable_device(hald_t)
 storage_raw_write_removable_device(hald_t)
 storage_raw_read_fixed_disk(hald_t)
-@@ -265,6 +271,11 @@
+@@ -172,6 +178,8 @@
+ init_rw_utmp(hald_t)
+ init_telinit(hald_t)
+ 
+fstools_getattr_swap_files(hald_t)
+
+ libs_use_ld_so(hald_t)
+ libs_use_shared_libs(hald_t)
+ libs_exec_ld_so(hald_t)
+@@ -265,6 +273,11 @@
 ')
 
 optional_policy(`
@ -10837,7 +10859,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 	rpc_search_nfs_state_data(hald_t)
 ')
 
-@@ -291,7 +302,8 @@
+@@ -291,7 +304,8 @@
 #
 
 allow hald_acl_t self:capability { dac_override fowner };
@ -10847,7 +10869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 
 domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
 allow hald_t hald_acl_t:process signal;
-@@ -325,6 +337,11 @@
+@@ -325,6 +339,11 @@
 
 miscfiles_read_localization(hald_acl_t)
 
@ -10859,7 +10881,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 ########################################
 #
 # Local hald mac policy
-@@ -338,10 +355,14 @@
+@@ -338,10 +357,14 @@
 manage_files_pattern(hald_mac_t,hald_var_lib_t,hald_var_lib_t)
 files_search_var_lib(hald_mac_t)
 
@ -10874,7 +10896,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 libs_use_ld_so(hald_mac_t)
 libs_use_shared_libs(hald_mac_t)
 
-@@ -391,3 +412,7 @@
+@@ -391,3 +414,7 @@
 libs_use_shared_libs(hald_keymap_t)
 
 miscfiles_read_localization(hald_keymap_t)
@ -20209,7 +20231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 +/var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.2.5/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/authlogin.if	2008-01-18 12:40:46.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/authlogin.if	2008-01-21 14:40:46.000000000 -0500
@@ -99,7 +99,7 @@
 template(`authlogin_per_role_template',`
 
@ -20251,7 +20273,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 	# for SSP/ProPolice
 	dev_read_urand($1)
 	# for fingerprint readers
-@@ -221,11 +233,28 @@
+@@ -221,11 +233,35 @@
 
 	logging_send_audit_msgs($1)
 	logging_send_syslog_msg($1)
@ -20266,6 +20288,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 +	userdom_unpriv_users_stream_connect($1)
 +
 +	optional_policy(`
+		dbus_system_bus_client_template(notused, $1)
+		optional_policy(`
+			oddjob_dbus_chat($1)
+		')
+	')
+
+	optional_policy(`
 +		mount_domtrans($1)
 +	')
 +
@ -20281,7 +20310,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 	tunable_policy(`allow_polyinstantiation',`
 		files_polyinstantiate_all($1)
 	')
-@@ -342,6 +371,8 @@
+@@ -342,6 +378,8 @@
 
 	optional_policy(`
 		kerberos_use($1)
@ -20290,7 +20319,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 	')
 
 	optional_policy(`
-@@ -356,6 +387,7 @@
+@@ -356,6 +394,7 @@
 	optional_policy(`
 		samba_stream_connect_winbind($1)
 	')
@ -20298,7 +20327,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 ')
 
 ########################################
-@@ -369,12 +401,12 @@
+@@ -369,12 +408,12 @@
 ## </param>
 ## <param name="role">
 ##	<summary>
@ -20313,7 +20342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 ##	</summary>
 ## </param>
 #
-@@ -386,6 +418,7 @@
+@@ -386,6 +425,7 @@
 	auth_domtrans_chk_passwd($1)
 	role $2 types system_chkpwd_t;
 	allow system_chkpwd_t $3:chr_file rw_file_perms;
@ -20321,7 +20350,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 ')
 
 ########################################
-@@ -1457,6 +1490,7 @@
+@@ -1457,6 +1497,7 @@
 	optional_policy(`
 		samba_stream_connect_winbind($1)
 		samba_read_var_files($1)
@ -20329,7 +20358,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 	')
 ')
 
-@@ -1491,3 +1525,23 @@
+@@ -1491,3 +1532,23 @@
 	typeattribute $1 can_write_shadow_passwords;
 	typeattribute $1 can_relabelto_shadow_passwords;
 ')
@ -22092,7 +22121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.2.5/policy/modules/system/selinuxutil.te
 --- nsaserefpolicy/policy/modules/system/selinuxutil.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/selinuxutil.te	2008-01-18 12:40:46.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/selinuxutil.te	2008-01-21 15:06:00.000000000 -0500
@@ -75,7 +75,6 @@
 type restorecond_exec_t;
 init_daemon_domain(restorecond_t,restorecond_exec_t)
@ -22336,7 +22365,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 ifdef(`distro_redhat', `
 	fs_rw_tmpfs_chr_files(setfiles_t)
 	fs_rw_tmpfs_blk_files(setfiles_t)
-@@ -574,18 +550,6 @@
+@@ -574,16 +550,8 @@
 	fs_relabel_tmpfs_chr_file(setfiles_t)
 ')
 
@ -22350,11 +22379,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 -		unconfined_dontaudit_read_pipes(setfiles_t)
 -		unconfined_dontaudit_rw_tcp_sockets(setfiles_t)
 -	')
-')
-
- optional_policy(`
- 	hotplug_use_fds(setfiles_t)
+optional_policy(`
+	cron_rw_pipes(setfiles_t)
 ')
+ 
+ optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.2.5/policy/modules/system/sysnetwork.if
 --- nsaserefpolicy/policy/modules/system/sysnetwork.if	2007-07-16 14:09:49.000000000 -0400
 +++ serefpolicy-3.2.5/policy/modules/system/sysnetwork.if	2008-01-18 12:40:46.000000000 -0500
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.2.5
-Release: 14%{?dist}
+Release: 15%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -387,6 +387,9 @@ exit 0
 %endif

 %changelog
+* Mon Jan 21 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-15
+- Allow login programs to talk dbus to oddjob
+
 * Thu Jan 17 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-14
 - Add procmail_log support
 - Lots of fixes for munin