- Fix file context for MATLAB

- Fixes for xace
This commit is contained in:
Daniel J Walsh 2008-03-21 23:24:11 +00:00
parent 5ea3f10caf
commit bf3d39e959
2 changed files with 83 additions and 43 deletions

View File

@ -3964,8 +3964,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.te s
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.3.1/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2007-03-01 10:01:48.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/apps/java.fc 2008-03-13 18:18:13.000000000 -0400
@@ -11,6 +11,7 @@
+++ serefpolicy-3.3.1/policy/modules/apps/java.fc 2008-03-21 06:52:02.000000000 -0400
@@ -3,14 +3,15 @@
#
/opt/(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
/opt/ibm/java2-ppc64-50/jre/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
-/opt/local/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
-/opt/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
+/opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/opt/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
#
# /usr
#
/usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/lib(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
@ -3973,16 +3983,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc
/usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0)
@@ -20,5 +21,11 @@
@@ -20,5 +21,10 @@
/usr/bin/grmic -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/grmiregistry -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0)
-/usr/local/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
-/usr/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/fastjar -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/local/matlab/bin/(.*/)?MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/matlab(/.*)?/bin/(.*/)?MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/opt/matlab(/.*)?/bin(/.*)?/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib64/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+
@ -14704,7 +14713,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnom
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.3.1/policy/modules/services/hal.fc
--- nsaserefpolicy/policy/modules/services/hal.fc 2007-11-14 08:17:58.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/hal.fc 2008-02-26 08:29:22.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/hal.fc 2008-03-21 18:49:34.000000000 -0400
@@ -8,6 +8,7 @@
/usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0)
/usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0)
@ -14713,13 +14722,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
/usr/sbin/hald -- gen_context(system_u:object_r:hald_exec_t,s0)
@@ -16,10 +17,11 @@
@@ -16,10 +17,12 @@
/var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0)
/var/log/pm-suspend\.log gen_context(system_u:object_r:hald_log_t,s0)
+/var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0)
+/var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
+/var/run/hald(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
/var/run/haldaemon\.pid -- gen_context(system_u:object_r:hald_var_run_t,s0)
-/var/run/vbestate -- gen_context(system_u:object_r:hald_var_run_t,s0)
-
@ -14775,7 +14785,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.3.1/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/hal.te 2008-03-20 09:19:51.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/hal.te 2008-03-21 18:50:19.000000000 -0400
@@ -49,6 +49,9 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@ -14795,7 +14805,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
logging_log_filetrans(hald_t,hald_log_t,file)
manage_dirs_pattern(hald_t,hald_tmp_t,hald_tmp_t)
@@ -93,6 +96,7 @@
@@ -82,8 +85,9 @@
manage_files_pattern(hald_t,hald_var_lib_t,hald_var_lib_t)
manage_sock_files_pattern(hald_t,hald_var_lib_t,hald_var_lib_t)
+manage_dirs_pattern(hald_t,hald_var_run_t,hald_var_run_t)
manage_files_pattern(hald_t,hald_var_run_t,hald_var_run_t)
-files_pid_filetrans(hald_t,hald_var_run_t,file)
+files_pid_filetrans(hald_t,hald_var_run_t,{ dir file })
kernel_read_system_state(hald_t)
kernel_read_network_state(hald_t)
@@ -93,6 +97,7 @@
kernel_rw_irq_sysctls(hald_t)
kernel_rw_vm_sysctls(hald_t)
kernel_write_proc_files(hald_t)
@ -14803,7 +14824,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
auth_read_pam_console_data(hald_t)
@@ -155,6 +159,8 @@
@@ -155,6 +160,8 @@
selinux_compute_relabel_context(hald_t)
selinux_compute_user_contexts(hald_t)
@ -14812,7 +14833,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
storage_raw_read_removable_device(hald_t)
storage_raw_write_removable_device(hald_t)
storage_raw_read_fixed_disk(hald_t)
@@ -172,6 +178,8 @@
@@ -172,6 +179,8 @@
init_rw_utmp(hald_t)
init_telinit(hald_t)
@ -14821,7 +14842,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
libs_use_ld_so(hald_t)
libs_use_shared_libs(hald_t)
libs_exec_ld_so(hald_t)
@@ -244,6 +252,10 @@
@@ -244,6 +253,10 @@
')
optional_policy(`
@ -14832,7 +14853,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
hotplug_read_config(hald_t)
')
@@ -265,6 +277,11 @@
@@ -265,6 +278,11 @@
')
optional_policy(`
@ -14844,7 +14865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
rpc_search_nfs_state_data(hald_t)
')
@@ -291,7 +308,8 @@
@@ -291,7 +309,8 @@
#
allow hald_acl_t self:capability { dac_override fowner };
@ -14854,7 +14875,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
allow hald_t hald_acl_t:process signal;
@@ -304,6 +322,7 @@
@@ -301,9 +320,14 @@
manage_files_pattern(hald_acl_t,hald_var_lib_t,hald_var_lib_t)
files_search_var_lib(hald_acl_t)
+manage_dirs_pattern(hald_acl_t,hald_var_run_t,hald_var_run_t)
+manage_files_pattern(hald_acl_t,hald_var_run_t,hald_var_run_t)
+files_pid_filetrans(hald_acl_t,hald_var_run_t,{ dir file })
+
corecmd_exec_bin(hald_acl_t)
dev_getattr_all_chr_files(hald_acl_t)
@ -14862,7 +14890,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
dev_getattr_generic_usb_dev(hald_acl_t)
dev_getattr_video_dev(hald_acl_t)
dev_setattr_video_dev(hald_acl_t)
@@ -325,6 +344,11 @@
@@ -325,6 +349,11 @@
miscfiles_read_localization(hald_acl_t)
@ -14874,7 +14902,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
########################################
#
# Local hald mac policy
@@ -338,10 +362,14 @@
@@ -338,10 +367,14 @@
manage_files_pattern(hald_mac_t,hald_var_lib_t,hald_var_lib_t)
files_search_var_lib(hald_mac_t)
@ -14889,7 +14917,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
libs_use_ld_so(hald_mac_t)
libs_use_shared_libs(hald_mac_t)
@@ -391,3 +419,7 @@
@@ -391,3 +424,7 @@
libs_use_shared_libs(hald_keymap_t)
miscfiles_read_localization(hald_keymap_t)
@ -23952,7 +23980,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-03-14 11:14:49.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-03-20 16:09:38.000000000 -0400
@@ -12,9 +12,15 @@
## </summary>
## </param>
@ -24081,13 +24109,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow $1_xserver_t self:process { execmem execheap execstack };
')
+ tunable_policy(`xserver_object_manager',`
+ selinux_validate_context($1_xserver_t)
+ selinux_compute_access_vector($1_xserver_t)
+ selinux_compute_create_context($1_xserver_t)
+ seutil_read_default_contexts($1_xserver_t)
+ allow $1_xserver_t self:netlink_selinux_socket create_socket_perms;
+ selinux_validate_context($1_xserver_t)
+ selinux_compute_access_vector($1_xserver_t)
+ selinux_compute_create_context($1_xserver_t)
+ seutil_read_default_contexts($1_xserver_t)
+ allow $1_xserver_t self:netlink_selinux_socket create_socket_perms;
+
+ tunable_policy(`xserver_object_manager',`
+ allow $1_xserver_t input_xevent_t:x_event send;
+ allow $1_xserver_t x_rootwindow_t:x_drawable send;
+ allow $1_xserver_t xdm_t:x_event send;
@ -25321,7 +25349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-03-18 15:08:05.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-03-21 18:46:59.000000000 -0400
@@ -8,6 +8,14 @@
## <desc>
@ -25567,7 +25595,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_getattr_power_mgmt_dev(xdm_t)
dev_setattr_power_mgmt_dev(xdm_t)
@@ -226,6 +344,7 @@
@@ -226,9 +344,11 @@
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@ -25575,7 +25603,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
fs_getattr_all_fs(xdm_t)
fs_search_auto_mountpoints(xdm_t)
@@ -237,6 +356,7 @@
+fs_rw_anon_inodefs_files(xdm_t)
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
@@ -237,6 +357,7 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@ -25583,7 +25615,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
term_setattr_console(xdm_t)
term_use_unallocated_ttys(xdm_t)
@@ -245,6 +365,7 @@
@@ -245,6 +366,7 @@
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
@ -25591,7 +25623,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
@@ -256,12 +377,11 @@
@@ -256,12 +378,11 @@
libs_exec_lib_files(xdm_t)
logging_read_generic_logs(xdm_t)
@ -25605,7 +25637,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_dontaudit_search_sysadm_home_dirs(xdm_t)
userdom_create_all_users_keys(xdm_t)
@@ -270,8 +390,13 @@
@@ -270,8 +391,13 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@ -25619,7 +25651,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_t)
@@ -304,7 +429,11 @@
@@ -301,10 +427,15 @@
optional_policy(`
alsa_domtrans(xdm_t)
+ alsa_read_rw_config(xdm_t)
')
optional_policy(`
@ -25632,7 +25668,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
@@ -312,6 +441,23 @@
@@ -312,6 +443,23 @@
')
optional_policy(`
@ -25656,7 +25692,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Talk to the console mouse server.
gpm_stream_connect(xdm_t)
gpm_setattr_gpmctl(xdm_t)
@@ -322,6 +468,10 @@
@@ -322,6 +470,10 @@
')
optional_policy(`
@ -25667,7 +25703,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
loadkeys_exec(xdm_t)
')
@@ -335,6 +485,11 @@
@@ -335,6 +487,11 @@
')
optional_policy(`
@ -25679,7 +25715,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
seutil_sigchld_newrole(xdm_t)
')
@@ -343,8 +498,8 @@
@@ -343,8 +500,8 @@
')
optional_policy(`
@ -25689,7 +25725,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
@@ -380,7 +535,7 @@
@@ -380,7 +537,7 @@
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
@ -25698,7 +25734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types.
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
@@ -392,6 +547,15 @@
@@ -392,6 +549,15 @@
can_exec(xdm_xserver_t, xkb_var_lib_t)
files_search_var_lib(xdm_xserver_t)
@ -25714,7 +25750,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# VNC v4 module in X server
corenet_tcp_bind_vnc_port(xdm_xserver_t)
@@ -404,9 +568,17 @@
@@ -404,9 +570,17 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
@ -25732,7 +25768,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_xserver_t)
fs_manage_nfs_files(xdm_xserver_t)
@@ -420,6 +592,22 @@
@@ -420,6 +594,22 @@
')
optional_policy(`
@ -25755,7 +25791,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
resmgr_stream_connect(xdm_t)
')
@@ -429,47 +617,139 @@
@@ -429,47 +619,139 @@
')
optional_policy(`

View File

@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
Release: 22%{?dist}
Release: 23%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -387,6 +387,10 @@ exit 0
%endif
%changelog
* Fri Mar 18 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-23
- Fix file context for MATLAB
- Fixes for xace
* Tue Mar 18 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-22
- Allow stunnel to transition to inetd children domains
- Make unconfined_dbusd_t an unconfined domain