- Allow wine to run in system role
This commit is contained in:
parent
37d6a1ce3f
commit
c7e443c95c
@ -2401,9 +2401,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if
|
||||
+ role $2 types wine_t;
|
||||
+ allow wine_t $3:chr_file rw_term_perms;
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.0.7/policy/modules/apps/wine.te
|
||||
--- nsaserefpolicy/policy/modules/apps/wine.te 2007-07-25 10:37:37.000000000 -0400
|
||||
+++ serefpolicy-3.0.7/policy/modules/apps/wine.te 2007-09-07 09:04:03.000000000 -0400
|
||||
@@ -9,6 +9,7 @@
|
||||
type wine_t;
|
||||
type wine_exec_t;
|
||||
application_domain(wine_t,wine_exec_t)
|
||||
+role system_r types wine_t;
|
||||
|
||||
########################################
|
||||
#
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.0.7/policy/modules/kernel/corecommands.fc
|
||||
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-08-22 07:14:06.000000000 -0400
|
||||
+++ serefpolicy-3.0.7/policy/modules/kernel/corecommands.fc 2007-09-06 15:43:06.000000000 -0400
|
||||
+++ serefpolicy-3.0.7/policy/modules/kernel/corecommands.fc 2007-09-07 13:47:17.000000000 -0400
|
||||
@@ -36,6 +36,11 @@
|
||||
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@ -2437,6 +2448,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
|
||||
|
||||
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
|
||||
@@ -259,3 +265,7 @@
|
||||
ifdef(`distro_suse',`
|
||||
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
|
||||
')
|
||||
+
|
||||
+/etc/gdm/XKeepsCrashing[^/]* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
|
||||
+/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.0.7/policy/modules/kernel/corenetwork.if.in
|
||||
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2007-07-03 07:05:38.000000000 -0400
|
||||
+++ serefpolicy-3.0.7/policy/modules/kernel/corenetwork.if.in 2007-09-06 15:43:06.000000000 -0400
|
||||
@ -2486,7 +2505,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
|
||||
## <param name="domain">
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.0.7/policy/modules/kernel/corenetwork.te.in
|
||||
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-07-03 07:05:38.000000000 -0400
|
||||
+++ serefpolicy-3.0.7/policy/modules/kernel/corenetwork.te.in 2007-09-06 15:43:06.000000000 -0400
|
||||
+++ serefpolicy-3.0.7/policy/modules/kernel/corenetwork.te.in 2007-09-07 15:02:19.000000000 -0400
|
||||
@@ -55,6 +55,11 @@
|
||||
type reserved_port_t, port_type, reserved_port_type;
|
||||
|
||||
@ -2528,11 +2547,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
|
||||
network_port(nessus, tcp,1241,s0)
|
||||
network_port(netsupport, tcp,5405,s0, udp,5405,s0)
|
||||
network_port(nmbd, udp,137,s0, udp,138,s0)
|
||||
@@ -160,13 +166,17 @@
|
||||
@@ -146,7 +152,7 @@
|
||||
network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
|
||||
network_port(spamd, tcp,783,s0)
|
||||
network_port(ssh, tcp,22,s0)
|
||||
-network_port(soundd, tcp,8000,s0, tcp,9433,s0)
|
||||
+network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
|
||||
type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
|
||||
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
|
||||
network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
|
||||
@@ -160,13 +166,18 @@
|
||||
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
|
||||
network_port(uucpd, tcp,540,s0)
|
||||
network_port(vnc, tcp,5900,s0)
|
||||
+network_port(wccp, udp,2048,s0)
|
||||
+network_port(xdmcp, udp,177,s0, tcp,177,s0)
|
||||
network_port(xen, tcp,8002,s0)
|
||||
-network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0)
|
||||
+network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0, tcp,6020,s0)
|
||||
@ -5920,7 +5949,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
|
||||
allow $1 self:tcp_socket create_socket_perms;
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.0.7/policy/modules/services/kerberos.te
|
||||
--- nsaserefpolicy/policy/modules/services/kerberos.te 2007-07-25 10:37:42.000000000 -0400
|
||||
+++ serefpolicy-3.0.7/policy/modules/services/kerberos.te 2007-09-06 15:43:06.000000000 -0400
|
||||
+++ serefpolicy-3.0.7/policy/modules/services/kerberos.te 2007-09-07 10:31:47.000000000 -0400
|
||||
@@ -62,7 +62,7 @@
|
||||
# Use capabilities. Surplus capabilities may be allowed.
|
||||
allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
|
||||
@ -5964,6 +5993,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -151,7 +157,7 @@
|
||||
# Use capabilities. Surplus capabilities may be allowed.
|
||||
allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
|
||||
dontaudit krb5kdc_t self:capability sys_tty_config;
|
||||
-allow krb5kdc_t self:process { setsched getsched signal_perms };
|
||||
+allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms };
|
||||
allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow krb5kdc_t self:tcp_socket create_stream_socket_perms;
|
||||
allow krb5kdc_t self:udp_socket create_socket_perms;
|
||||
@@ -223,6 +229,7 @@
|
||||
miscfiles_read_localization(krb5kdc_t)
|
||||
|
||||
@ -5972,6 +6010,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t)
|
||||
@@ -233,6 +240,7 @@
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(krb5kdc_t)
|
||||
+ seutil_read_file_contexts(krb5kdc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.0.7/policy/modules/services/ktalk.te
|
||||
--- nsaserefpolicy/policy/modules/services/ktalk.te 2007-07-25 10:37:42.000000000 -0400
|
||||
+++ serefpolicy-3.0.7/policy/modules/services/ktalk.te 2007-09-06 15:43:06.000000000 -0400
|
||||
@ -7732,7 +7778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
|
||||
fs_search_auto_mountpoints($1_t)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.7/policy/modules/services/rpc.te
|
||||
--- nsaserefpolicy/policy/modules/services/rpc.te 2007-07-25 10:37:42.000000000 -0400
|
||||
+++ serefpolicy-3.0.7/policy/modules/services/rpc.te 2007-09-06 15:43:06.000000000 -0400
|
||||
+++ serefpolicy-3.0.7/policy/modules/services/rpc.te 2007-09-07 10:32:33.000000000 -0400
|
||||
@@ -59,10 +59,14 @@
|
||||
manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
|
||||
files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
|
||||
@ -7782,16 +7828,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
|
||||
')
|
||||
|
||||
tunable_policy(`nfs_export_all_ro',`
|
||||
@@ -143,6 +154,8 @@
|
||||
@@ -143,6 +154,9 @@
|
||||
manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t)
|
||||
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
|
||||
|
||||
+auth_use_nsswitch(gssd_t)
|
||||
+
|
||||
+kernel_read_system_state(gssd_t)
|
||||
kernel_read_network_state(gssd_t)
|
||||
kernel_read_network_state_symlinks(gssd_t)
|
||||
kernel_search_network_sysctl(gssd_t)
|
||||
@@ -158,6 +171,9 @@
|
||||
@@ -158,6 +172,9 @@
|
||||
|
||||
miscfiles_read_certs(gssd_t)
|
||||
|
||||
@ -9287,7 +9334,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.7/policy/modules/services/xserver.te
|
||||
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-08-22 07:14:07.000000000 -0400
|
||||
+++ serefpolicy-3.0.7/policy/modules/services/xserver.te 2007-09-06 15:43:06.000000000 -0400
|
||||
+++ serefpolicy-3.0.7/policy/modules/services/xserver.te 2007-09-07 15:02:10.000000000 -0400
|
||||
@@ -16,6 +16,13 @@
|
||||
|
||||
## <desc>
|
||||
@ -9323,7 +9370,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
|
||||
allow xdm_t xdm_xserver_t:process signal;
|
||||
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
|
||||
@@ -246,6 +257,7 @@
|
||||
@@ -189,6 +200,7 @@
|
||||
corenet_sendrecv_all_client_packets(xdm_t)
|
||||
# xdm tries to bind to biff_port_t
|
||||
corenet_dontaudit_tcp_bind_all_ports(xdm_t)
|
||||
+corenet_udp_bind_xdmcp_ports(xdm_t)
|
||||
|
||||
dev_read_rand(xdm_t)
|
||||
dev_read_sysfs(xdm_t)
|
||||
@@ -246,6 +258,7 @@
|
||||
auth_domtrans_pam_console(xdm_t)
|
||||
auth_manage_pam_pid(xdm_t)
|
||||
auth_manage_pam_console_data(xdm_t)
|
||||
@ -9331,7 +9386,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
auth_rw_faillog(xdm_t)
|
||||
auth_write_login_records(xdm_t)
|
||||
|
||||
@@ -257,6 +269,7 @@
|
||||
@@ -257,6 +270,7 @@
|
||||
libs_exec_lib_files(xdm_t)
|
||||
|
||||
logging_read_generic_logs(xdm_t)
|
||||
@ -9339,7 +9394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
|
||||
miscfiles_read_localization(xdm_t)
|
||||
miscfiles_read_fonts(xdm_t)
|
||||
@@ -271,6 +284,10 @@
|
||||
@@ -271,6 +285,10 @@
|
||||
# Search /proc for any user domain processes.
|
||||
userdom_read_all_users_state(xdm_t)
|
||||
userdom_signal_all_users(xdm_t)
|
||||
@ -9350,7 +9405,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
|
||||
xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
|
||||
|
||||
@@ -306,6 +323,8 @@
|
||||
@@ -306,6 +324,8 @@
|
||||
|
||||
optional_policy(`
|
||||
consolekit_dbus_chat(xdm_t)
|
||||
@ -9359,7 +9414,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -348,12 +367,8 @@
|
||||
@@ -348,12 +368,8 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -9373,7 +9428,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
|
||||
ifdef(`distro_rhel4',`
|
||||
allow xdm_t self:process { execheap execmem };
|
||||
@@ -385,7 +400,7 @@
|
||||
@@ -385,7 +401,7 @@
|
||||
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
|
||||
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
|
||||
|
||||
@ -9382,7 +9437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
|
||||
# Label pid and temporary files with derived types.
|
||||
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
|
||||
@@ -425,6 +440,10 @@
|
||||
@@ -425,6 +441,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -9393,7 +9448,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
resmgr_stream_connect(xdm_t)
|
||||
')
|
||||
|
||||
@@ -434,47 +453,19 @@
|
||||
@@ -434,47 +454,19 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -11333,7 +11388,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc
|
||||
/etc/lvm/lock(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.0.7/policy/modules/system/lvm.te
|
||||
--- nsaserefpolicy/policy/modules/system/lvm.te 2007-07-25 10:37:42.000000000 -0400
|
||||
+++ serefpolicy-3.0.7/policy/modules/system/lvm.te 2007-09-06 15:43:06.000000000 -0400
|
||||
+++ serefpolicy-3.0.7/policy/modules/system/lvm.te 2007-09-07 09:00:42.000000000 -0400
|
||||
@@ -150,7 +150,9 @@
|
||||
|
||||
# DAC overrides and mknod for modifying /dev entries (vgmknodes)
|
||||
@ -11362,7 +11417,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
|
||||
|
||||
term_getattr_all_user_ttys(lvm_t)
|
||||
term_list_ptys(lvm_t)
|
||||
@@ -293,5 +298,15 @@
|
||||
@@ -275,6 +280,8 @@
|
||||
seutil_search_default_contexts(lvm_t)
|
||||
seutil_sigchld_newrole(lvm_t)
|
||||
|
||||
+userdom_dontaudit_search_sysadm_home_dirs(lvm_t)
|
||||
+
|
||||
ifdef(`distro_redhat',`
|
||||
# this is from the initrd:
|
||||
files_rw_isid_type_dirs(lvm_t)
|
||||
@@ -293,5 +300,15 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -13971,7 +14035,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.0.7/policy/modules/system/xen.te
|
||||
--- nsaserefpolicy/policy/modules/system/xen.te 2007-07-25 10:37:42.000000000 -0400
|
||||
+++ serefpolicy-3.0.7/policy/modules/system/xen.te 2007-09-06 15:43:06.000000000 -0400
|
||||
+++ serefpolicy-3.0.7/policy/modules/system/xen.te 2007-09-07 08:48:47.000000000 -0400
|
||||
@@ -95,7 +95,7 @@
|
||||
read_lnk_files_pattern(xend_t,xen_image_t,xen_image_t)
|
||||
rw_blk_files_pattern(xend_t,xen_image_t,xen_image_t)
|
||||
|
||||
-allow xend_t xenctl_t:fifo_file manage_file_perms;
|
||||
+allow xend_t xenctl_t:fifo_file manage_fifo_file_perms;
|
||||
dev_filetrans(xend_t, xenctl_t, fifo_file)
|
||||
|
||||
manage_files_pattern(xend_t,xend_tmp_t,xend_tmp_t)
|
||||
@@ -126,7 +126,7 @@
|
||||
domain_auto_trans(xend_t, xenstored_exec_t, xenstored_t)
|
||||
allow xenstored_t xend_t:fd use;
|
||||
allow xenstored_t xend_t:process sigchld;
|
||||
-allow xenstored_t xend_t:fifo_file write;
|
||||
+allow xenstored_t xend_t:fifo_file write_fifo_file_perms;
|
||||
|
||||
# transition to console
|
||||
domain_auto_trans(xend_t, xenconsoled_exec_t, xenconsoled_t)
|
||||
@@ -176,6 +176,7 @@
|
||||
files_manage_etc_runtime_files(xend_t)
|
||||
files_etc_filetrans_etc_runtime(xend_t,file)
|
||||
@ -13980,6 +14062,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
|
||||
|
||||
storage_raw_read_fixed_disk(xend_t)
|
||||
storage_raw_write_fixed_disk(xend_t)
|
||||
@@ -224,7 +225,7 @@
|
||||
|
||||
allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
|
||||
allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
|
||||
-allow xenconsoled_t self:fifo_file { read write };
|
||||
+allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
|
||||
|
||||
@@ -257,7 +258,7 @@
|
||||
|
||||
miscfiles_read_localization(xenconsoled_t)
|
||||
@ -13998,7 +14089,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
|
||||
allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow xenstored_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
@@ -324,6 +325,7 @@
|
||||
@@ -318,12 +319,13 @@
|
||||
allow xm_t self:capability { dac_override ipc_lock sys_tty_config };
|
||||
|
||||
# internal communication is often done using fifo and unix sockets.
|
||||
-allow xm_t self:fifo_file { read write };
|
||||
+allow xm_t self:fifo_file rw_fifo_file_perms;
|
||||
allow xm_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow xm_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
manage_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t)
|
||||
manage_fifo_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t)
|
||||
|
@ -17,7 +17,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.0.7
|
||||
Release: 5%{?dist}
|
||||
Release: 6%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -362,6 +362,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Sep 7 2007 Dan Walsh <dwalsh@redhat.com> 3.0.7-6
|
||||
- Allow wine to run in system role
|
||||
|
||||
* Thu Sep 6 2007 Dan Walsh <dwalsh@redhat.com> 3.0.7-5
|
||||
- Fix java labeling
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user