From d86efe56b90425d07e79c3aad991d13f380dd5d8 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 22 Sep 2008 20:07:59 +0000 Subject: [PATCH] - Fix transition to nsplugin --- policy-20080710.patch | 663 ++++++++++++++++++++++++------------------ selinux-policy.spec | 5 +- 2 files changed, 391 insertions(+), 277 deletions(-) diff --git a/policy-20080710.patch b/policy-20080710.patch index fea39761..d3c60f57 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -79,13 +79,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rul $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.5.8/config/appconfig-mcs/default_contexts --- nsaserefpolicy/config/appconfig-mcs/default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.8/config/appconfig-mcs/default_contexts 2008-09-17 08:49:08.000000000 -0400 -@@ -1,15 +0,0 @@ ++++ serefpolicy-3.5.8/config/appconfig-mcs/default_contexts 2008-09-22 15:25:07.000000000 -0400 +@@ -1,15 +1,6 @@ -system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0 -system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 -system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0 -system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 --system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0 ++system_r:crond_t:s0 system_r:system_crond_t:s0 ++system_r:local_login_t:s0 user_r:user_t:s0 ++system_r:remote_login_t:s0 user_r:user_t:s0 ++system_r:sshd_t:s0 user_r:user_t:s0 + system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0 -system_r:xdm_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 - -staff_r:staff_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 @@ -96,6 +100,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con - -user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 -user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0 ++system_r:xdm_t:s0 user_r:user_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.5.8/config/appconfig-mcs/failsafe_context --- nsaserefpolicy/config/appconfig-mcs/failsafe_context 2008-08-07 11:15:14.000000000 -0400 +++ serefpolicy-3.5.8/config/appconfig-mcs/failsafe_context 2008-09-17 08:49:08.000000000 -0400 @@ -104,19 +109,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con +system_r:unconfined_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts serefpolicy-3.5.8/config/appconfig-mcs/guest_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.8/config/appconfig-mcs/guest_u_default_contexts 2008-09-17 08:49:08.000000000 -0400 ++++ serefpolicy-3.5.8/config/appconfig-mcs/guest_u_default_contexts 2008-09-22 15:33:55.000000000 -0400 @@ -0,0 +1,6 @@ +system_r:local_login_t:s0 guest_r:guest_t:s0 +system_r:remote_login_t:s0 guest_r:guest_t:s0 +system_r:sshd_t:s0 guest_r:guest_t:s0 -+system_r:crond_t:s0 guest_r:guest_crond_t:s0 ++system_r:crond_t:s0 guest_r:guest_t:s0 +system_r:initrc_su_t:s0 guest_r:guest_t:s0 +guest_r:guest_t:s0 guest_r:guest_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.5.8/config/appconfig-mcs/root_default_contexts --- nsaserefpolicy/config/appconfig-mcs/root_default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.8/config/appconfig-mcs/root_default_contexts 2008-09-17 08:49:08.000000000 -0400 ++++ serefpolicy-3.5.8/config/appconfig-mcs/root_default_contexts 2008-09-22 15:36:05.000000000 -0400 @@ -1,11 +1,7 @@ - system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0 +-system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0 ++system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 -staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 @@ -130,8 +136,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con +system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts serefpolicy-3.5.8/config/appconfig-mcs/staff_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.8/config/appconfig-mcs/staff_u_default_contexts 2008-09-17 08:49:08.000000000 -0400 -@@ -5,6 +5,8 @@ ++++ serefpolicy-3.5.8/config/appconfig-mcs/staff_u_default_contexts 2008-09-22 15:33:36.000000000 -0400 +@@ -1,10 +1,12 @@ + system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 + system_r:remote_login_t:s0 staff_r:staff_t:s0 + system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 +-system_r:crond_t:s0 staff_r:staff_crond_t:s0 ++system_r:crond_t:s0 staff_r:staff_t:s0 system_r:xdm_t:s0 staff_r:staff_t:s0 staff_r:staff_su_t:s0 staff_r:staff_t:s0 staff_r:staff_sudo_t:s0 staff_r:staff_t:s0 @@ -152,8 +163,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con system_r:xdm_t:s0 unconfined_r:unconfined_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.5.8/config/appconfig-mcs/user_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.8/config/appconfig-mcs/user_u_default_contexts 2008-09-17 08:49:08.000000000 -0400 -@@ -5,4 +5,5 @@ ++++ serefpolicy-3.5.8/config/appconfig-mcs/user_u_default_contexts 2008-09-22 15:33:49.000000000 -0400 +@@ -1,8 +1,9 @@ + system_r:local_login_t:s0 user_r:user_t:s0 + system_r:remote_login_t:s0 user_r:user_t:s0 + system_r:sshd_t:s0 user_r:user_t:s0 +-system_r:crond_t:s0 user_r:user_crond_t:s0 ++system_r:crond_t:s0 user_r:user_t:s0 system_r:xdm_t:s0 user_r:user_t:s0 user_r:user_su_t:s0 user_r:user_t:s0 user_r:user_sudo_t:s0 user_r:user_t:s0 @@ -168,23 +184,103 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con +system_u:system_r:unconfined_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.5.8/config/appconfig-mcs/xguest_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.8/config/appconfig-mcs/xguest_u_default_contexts 2008-09-17 08:49:08.000000000 -0400 ++++ serefpolicy-3.5.8/config/appconfig-mcs/xguest_u_default_contexts 2008-09-22 15:34:01.000000000 -0400 @@ -0,0 +1,7 @@ +system_r:local_login_t xguest_r:xguest_t:s0 +system_r:remote_login_t xguest_r:xguest_t:s0 +system_r:sshd_t xguest_r:xguest_t:s0 -+system_r:crond_t xguest_r:xguest_crond_t:s0 ++system_r:crond_t xguest_r:xguest_t:s0 +system_r:xdm_t xguest_r:xguest_t:s0 +system_r:initrc_su_t:s0 xguest_r:xguest_t:s0 +xguest_r:xguest_t:s0 xguest_r:xguest_t:s0 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default_contexts serefpolicy-3.5.8/config/appconfig-mls/default_contexts +--- nsaserefpolicy/config/appconfig-mls/default_contexts 2008-08-07 11:15:14.000000000 -0400 ++++ serefpolicy-3.5.8/config/appconfig-mls/default_contexts 2008-09-22 15:37:18.000000000 -0400 +@@ -1,15 +1,6 @@ +-system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0 +-system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 +-system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0 +-system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 ++system_r:crond_t:s0 system_r:system_crond_t:s0 ++system_r:local_login_t:s0 user_r:user_t:s0 ++system_r:remote_login_t:s0 user_r:user_t:s0 ++system_r:sshd_t:s0 user_r:user_t:s0 + system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0 +-system_r:xdm_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 +- +-staff_r:staff_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 +-staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 +- +-sysadm_r:sysadm_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 +-sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0 +- +-user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 +-user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0 ++system_r:xdm_t:s0 user_r:user_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts serefpolicy-3.5.8/config/appconfig-mls/guest_u_default_contexts --- nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.8/config/appconfig-mls/guest_u_default_contexts 2008-09-17 08:49:08.000000000 -0400 ++++ serefpolicy-3.5.8/config/appconfig-mls/guest_u_default_contexts 2008-09-22 15:34:31.000000000 -0400 @@ -0,0 +1,4 @@ +system_r:local_login_t:s0 guest_r:guest_t:s0 +system_r:remote_login_t:s0 guest_r:guest_t:s0 +system_r:sshd_t:s0 guest_r:guest_t:s0 -+system_r:crond_t:s0 guest_r:guest_crond_t:s0 ++system_r:crond_t:s0 guest_r:guest_t:s0 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/root_default_contexts serefpolicy-3.5.8/config/appconfig-mls/root_default_contexts +--- nsaserefpolicy/config/appconfig-mls/root_default_contexts 2008-08-07 11:15:14.000000000 -0400 ++++ serefpolicy-3.5.8/config/appconfig-mls/root_default_contexts 2008-09-22 15:47:13.000000000 -0400 +@@ -1,11 +1,11 @@ +-system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0 +-system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 ++system_r:crond_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 ++system_r:local_login_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 + +-staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 +-sysadm_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 +-user_r:user_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 ++staff_r:staff_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 ++sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 ++user_r:user_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 + + # + # Uncomment if you want to automatically login as sysadm_r + # +-#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 ++#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/staff_u_default_contexts serefpolicy-3.5.8/config/appconfig-mls/staff_u_default_contexts +--- nsaserefpolicy/config/appconfig-mls/staff_u_default_contexts 2008-08-07 11:15:14.000000000 -0400 ++++ serefpolicy-3.5.8/config/appconfig-mls/staff_u_default_contexts 2008-09-22 15:34:13.000000000 -0400 +@@ -1,7 +1,7 @@ + system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 + system_r:remote_login_t:s0 staff_r:staff_t:s0 + system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 +-system_r:crond_t:s0 staff_r:staff_crond_t:s0 ++system_r:crond_t:s0 staff_r:staff_t:s0 + system_r:xdm_t:s0 staff_r:staff_t:s0 + staff_r:staff_su_t:s0 staff_r:staff_t:s0 + staff_r:staff_sudo_t:s0 staff_r:staff_t:s0 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/user_u_default_contexts serefpolicy-3.5.8/config/appconfig-mls/user_u_default_contexts +--- nsaserefpolicy/config/appconfig-mls/user_u_default_contexts 2008-08-07 11:15:14.000000000 -0400 ++++ serefpolicy-3.5.8/config/appconfig-mls/user_u_default_contexts 2008-09-22 15:34:21.000000000 -0400 +@@ -1,7 +1,7 @@ + system_r:local_login_t:s0 user_r:user_t:s0 + system_r:remote_login_t:s0 user_r:user_t:s0 + system_r:sshd_t:s0 user_r:user_t:s0 +-system_r:crond_t:s0 user_r:user_crond_t:s0 ++system_r:crond_t:s0 user_r:user_t:s0 + system_r:xdm_t:s0 user_r:user_t:s0 + user_r:user_su_t:s0 user_r:user_t:s0 + user_r:user_sudo_t:s0 user_r:user_t:s0 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/xguest_u_default_contexts serefpolicy-3.5.8/config/appconfig-mls/xguest_u_default_contexts +--- nsaserefpolicy/config/appconfig-mls/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.5.8/config/appconfig-mls/xguest_u_default_contexts 2008-09-22 15:37:37.000000000 -0400 +@@ -0,0 +1,7 @@ ++system_r:local_login_t xguest_r:xguest_t:s0 ++system_r:remote_login_t xguest_r:xguest_t:s0 ++system_r:sshd_t xguest_r:xguest_t:s0 ++system_r:crond_t xguest_r:xguest_t:s0 ++system_r:xdm_t xguest_r:xguest_t:s0 ++system_r:initrc_su_t:s0 xguest_r:xguest_t:s0 ++xguest_r:xguest_t:s0 xguest_r:xguest_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts serefpolicy-3.5.8/config/appconfig-standard/guest_u_default_contexts --- nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.5.8/config/appconfig-standard/guest_u_default_contexts 2008-09-17 08:49:08.000000000 -0400 @@ -209,6 +305,30 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con # -#system_r:sshd_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t +system_r:sshd_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/staff_u_default_contexts serefpolicy-3.5.8/config/appconfig-standard/staff_u_default_contexts +--- nsaserefpolicy/config/appconfig-standard/staff_u_default_contexts 2008-08-07 11:15:14.000000000 -0400 ++++ serefpolicy-3.5.8/config/appconfig-standard/staff_u_default_contexts 2008-09-22 15:34:45.000000000 -0400 +@@ -1,7 +1,7 @@ + system_r:local_login_t staff_r:staff_t sysadm_r:sysadm_t + system_r:remote_login_t staff_r:staff_t + system_r:sshd_t staff_r:staff_t sysadm_r:sysadm_t +-system_r:crond_t staff_r:staff_crond_t ++system_r:crond_t staff_r:staff_t + system_r:xdm_t staff_r:staff_t + staff_r:staff_su_t staff_r:staff_t + staff_r:staff_sudo_t staff_r:staff_t +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/user_u_default_contexts serefpolicy-3.5.8/config/appconfig-standard/user_u_default_contexts +--- nsaserefpolicy/config/appconfig-standard/user_u_default_contexts 2008-08-07 11:15:14.000000000 -0400 ++++ serefpolicy-3.5.8/config/appconfig-standard/user_u_default_contexts 2008-09-22 15:34:52.000000000 -0400 +@@ -1,7 +1,7 @@ + system_r:local_login_t user_r:user_t + system_r:remote_login_t user_r:user_t + system_r:sshd_t user_r:user_t +-system_r:crond_t user_r:user_crond_t ++system_r:crond_t user_r:user_t + system_r:xdm_t user_r:user_t + user_r:user_su_t user_r:user_t + user_r:user_sudo_t user_r:user_t diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts serefpolicy-3.5.8/config/appconfig-standard/xguest_u_default_contexts --- nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.5.8/config/appconfig-standard/xguest_u_default_contexts 2008-09-17 08:49:08.000000000 -0400 @@ -4279,8 +4399,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:nsplugin_home_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.5.8/policy/modules/apps/nsplugin.if --- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.8/policy/modules/apps/nsplugin.if 2008-09-21 07:27:44.000000000 -0400 -@@ -0,0 +1,493 @@ ++++ serefpolicy-3.5.8/policy/modules/apps/nsplugin.if 2008-09-22 15:35:16.000000000 -0400 +@@ -0,0 +1,293 @@ + +## policy for nsplugin + @@ -4363,247 +4483,45 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + type nsplugin_exec_t; + type nsplugin_config_exec_t; + type $1_tmpfs_t; ++ type nsplugin_t; ++ type nsplugin_config_t; + ') -+ type $1_nsplugin_t; -+ domain_type($1_nsplugin_t) -+ domain_entry_file($1_nsplugin_t, nsplugin_exec_t) -+ role $3 types $1_nsplugin_t; + -+ type $1_nsplugin_config_t; -+ domain_type($1_nsplugin_config_t) -+ domain_entry_file($1_nsplugin_config_t, nsplugin_config_exec_t) -+ role $3 types $1_nsplugin_config_t; ++ role $3 types nsplugin_t; ++ role $3 types nsplugin_config_t; + -+ role $3 types $1_nsplugin_t; -+ role $3 types $1_nsplugin_config_t; -+ -+ allow $1_nsplugin_t $2:process signull; ++ allow nsplugin_t $2:process signull; + + list_dirs_pattern($2, nsplugin_rw_t, nsplugin_rw_t) + read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t) + read_lnk_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t) + can_exec($2, nsplugin_rw_t) + -+ allow $1_nsplugin_t $1_tmpfs_t:file { read getattr }; -+ + #Leaked File Descriptors -+ dontaudit $1_nsplugin_t $2:tcp_socket rw_socket_perms; -+ dontaudit $1_nsplugin_t $2:udp_socket rw_socket_perms; -+ dontaudit $1_nsplugin_t $2:unix_stream_socket rw_socket_perms; -+ dontaudit $1_nsplugin_t $2:unix_dgram_socket rw_socket_perms; -+ dontaudit $1_nsplugin_config_t $2:tcp_socket rw_socket_perms; -+ dontaudit $1_nsplugin_config_t $2:udp_socket rw_socket_perms; -+ dontaudit $1_nsplugin_config_t $2:unix_stream_socket rw_socket_perms; -+ dontaudit $1_nsplugin_config_t $2:unix_dgram_socket rw_socket_perms; -+ allow $1_nsplugin_t $2:unix_stream_socket connectto; -+ dontaudit $1_nsplugin_t $2:process ptrace; ++ dontaudit nsplugin_t $2:tcp_socket rw_socket_perms; ++ dontaudit nsplugin_t $2:udp_socket rw_socket_perms; ++ dontaudit nsplugin_t $2:unix_stream_socket rw_socket_perms; ++ dontaudit nsplugin_t $2:unix_dgram_socket rw_socket_perms; ++ dontaudit nsplugin_config_t $2:tcp_socket rw_socket_perms; ++ dontaudit nsplugin_config_t $2:udp_socket rw_socket_perms; ++ dontaudit nsplugin_config_t $2:unix_stream_socket rw_socket_perms; ++ dontaudit nsplugin_config_t $2:unix_dgram_socket rw_socket_perms; ++ allow nsplugin_t $2:unix_stream_socket connectto; ++ dontaudit nsplugin_t $2:process ptrace; + -+ allow $2 $1_nsplugin_t:process { getattr ptrace signal_perms }; -+ allow $2 $1_nsplugin_t:unix_stream_socket connectto; ++ allow $2 nsplugin_t:process { getattr ptrace signal_perms }; ++ allow $2 nsplugin_t:unix_stream_socket connectto; + + # Connect to pulseaudit server -+ stream_connect_pattern($1_nsplugin_t, user_home_t, user_home_t, $2) -+ gnome_stream_connect($1_nsplugin_t, $2) ++ stream_connect_pattern(nsplugin_t, user_home_t, user_home_t, $2) ++ gnome_stream_connect(nsplugin_t, $2) + -+ userdom_use_user_terminals($1, $1_nsplugin_t) -+ userdom_use_user_terminals($1, $1_nsplugin_config_t) ++ allow nsplugin_t $1_tmpfs_t:file { read getattr }; + -+ xserver_common_app($1, $1_nsplugin_t) -+ -+######################################## -+# -+# nsplugin local policy -+# -+dontaudit $1_nsplugin_t self:capability sys_tty_config; -+allow $1_nsplugin_t self:fifo_file rw_file_perms; -+allow $1_nsplugin_t self:process { ptrace getsched setsched signal_perms }; ++ userdom_use_user_terminals($1, nsplugin_t) ++ userdom_use_user_terminals($1, nsplugin_config_t) + -+allow $1_nsplugin_t self:sem create_sem_perms; -+allow $1_nsplugin_t self:shm create_shm_perms; -+allow $1_nsplugin_t self:msgq create_msgq_perms; -+allow $1_nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms }; -+ -+tunable_policy(`allow_nsplugin_execmem',` -+ allow $1_nsplugin_t self:process { execstack execmem }; -+ allow $1_nsplugin_config_t self:process { execstack execmem }; -+') -+ -+manage_dirs_pattern($1_nsplugin_t, nsplugin_home_t, nsplugin_home_t) -+exec_files_pattern($1_nsplugin_t, nsplugin_home_t, nsplugin_home_t) -+manage_files_pattern($1_nsplugin_t, nsplugin_home_t, nsplugin_home_t) -+manage_lnk_files_pattern($1_nsplugin_t, nsplugin_home_t, nsplugin_home_t) -+userdom_user_home_dir_filetrans(user, $1_nsplugin_t, nsplugin_home_t, {file dir}) -+unprivuser_dontaudit_write_home_content_files($1_nsplugin_t) -+ -+corecmd_exec_bin($1_nsplugin_t) -+corecmd_exec_shell($1_nsplugin_t) -+ -+corenet_all_recvfrom_unlabeled($1_nsplugin_t) -+corenet_all_recvfrom_netlabel($1_nsplugin_t) -+corenet_tcp_connect_flash_port($1_nsplugin_t) -+corenet_tcp_connect_pulseaudio_port($1_nsplugin_t) -+corenet_tcp_connect_http_port($1_nsplugin_t) -+corenet_tcp_sendrecv_generic_if($1_nsplugin_t) -+corenet_tcp_sendrecv_all_nodes($1_nsplugin_t) -+ -+domain_dontaudit_read_all_domains_state($1_nsplugin_t) -+ -+dev_read_rand($1_nsplugin_t) -+dev_read_sound($1_nsplugin_t) -+dev_write_sound($1_nsplugin_t) -+dev_read_video_dev($1_nsplugin_t) -+dev_write_video_dev($1_nsplugin_t) -+dev_getattr_dri_dev($1_nsplugin_t) -+dev_rwx_zero($1_nsplugin_t) -+ -+kernel_read_kernel_sysctls($1_nsplugin_t) -+kernel_read_system_state($1_nsplugin_t) -+ -+files_read_usr_files($1_nsplugin_t) -+files_read_etc_files($1_nsplugin_t) -+files_read_config_files($1_nsplugin_t) -+ -+fs_list_inotifyfs($1_nsplugin_t) -+fs_manage_tmpfs_files($1_nsplugin_t) -+fs_getattr_tmpfs($1_nsplugin_t) -+fs_getattr_xattr_fs($1_nsplugin_t) -+ -+term_dontaudit_getattr_all_user_ptys($1_nsplugin_t) -+term_dontaudit_getattr_all_user_ttys($1_nsplugin_t) -+ -+auth_use_nsswitch($1_nsplugin_t) -+ -+libs_use_ld_so($1_nsplugin_t) -+libs_use_shared_libs($1_nsplugin_t) -+libs_exec_ld_so($1_nsplugin_t) -+ -+miscfiles_read_localization($1_nsplugin_t) -+miscfiles_read_fonts($1_nsplugin_t) -+ -+unprivuser_manage_tmp_dirs($1_nsplugin_t) -+unprivuser_manage_tmp_files($1_nsplugin_t) -+unprivuser_manage_tmp_sockets($1_nsplugin_t) -+userdom_tmp_filetrans_user_tmp(user, $1_nsplugin_t, { file dir sock_file }) -+unprivuser_read_tmpfs_files($1_nsplugin_t) -+unprivuser_rw_semaphores($1_nsplugin_t) -+unprivuser_delete_tmpfs_files($1_nsplugin_t) -+ -+unprivuser_read_home_content_symlinks($1_nsplugin_t) -+unprivuser_read_home_content_files($1_nsplugin_t) -+unprivuser_read_tmp_files($1_nsplugin_t) -+userdom_write_user_tmp_sockets(user, $1_nsplugin_t) -+unprivuser_dontaudit_append_home_content_files($1_nsplugin_t) -+userdom_dontaudit_unlink_unpriv_home_content_files($1_nsplugin_t) -+userdom_dontaudit_manage_user_tmp_files(user, $1_nsplugin_t) -+ -+optional_policy(` -+ alsa_read_rw_config($1_nsplugin_t) -+') -+ -+optional_policy(` -+ gnome_exec_gconf($1_nsplugin_t) -+ gnome_manage_user_gnome_config(user, $1_nsplugin_t) -+ allow $1_nsplugin_t gnome_home_t:sock_file write; -+') -+ -+optional_policy(` -+ mozilla_read_user_home_files(user, $1_nsplugin_t) -+ mozilla_write_user_home_files(user, $1_nsplugin_t) -+') -+ -+optional_policy(` -+ mplayer_exec($1_nsplugin_t) -+ mplayer_read_user_home_files(user, $1_nsplugin_t) -+') -+ -+optional_policy(` -+ unconfined_execmem_signull($1_nsplugin_t) -+ unconfined_delete_tmpfs_files($1_nsplugin_t) -+') -+ -+optional_policy(` -+ xserver_stream_connect_xdm_xserver($1_nsplugin_t) -+ xserver_xdm_rw_shm($1_nsplugin_t) -+ xserver_read_xdm_tmp_files($1_nsplugin_t) -+ xserver_read_xdm_pid($1_nsplugin_t) -+ xserver_read_user_xauth(user, $1_nsplugin_t) -+ xserver_read_user_iceauth(user, $1_nsplugin_t) -+ xserver_use_user_fonts(user, $1_nsplugin_t) -+ xserver_manage_home_fonts($1_nsplugin_t) -+ xserver_dontaudit_rw_xdm_home_files($1_nsplugin_t) -+') -+ -+######################################## -+# -+# $1_nsplugin_config local policy -+# -+ -+allow $1_nsplugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid }; -+allow $1_nsplugin_config_t self:process { setsched sigkill getsched execmem }; -+#execing pulseaudio -+dontaudit $1_nsplugin_t self:process { getcap setcap }; -+ -+allow $1_nsplugin_config_t self:fifo_file rw_file_perms; -+allow $1_nsplugin_config_t self:unix_stream_socket create_stream_socket_perms; -+ -+fs_list_inotifyfs($1_nsplugin_config_t) -+ -+can_exec($1_nsplugin_config_t, nsplugin_rw_t) -+manage_dirs_pattern($1_nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) -+manage_files_pattern($1_nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) -+manage_lnk_files_pattern($1_nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) -+ -+manage_dirs_pattern($1_nsplugin_config_t, nsplugin_home_t, nsplugin_home_t) -+manage_files_pattern($1_nsplugin_config_t, nsplugin_home_t, nsplugin_home_t) -+manage_lnk_files_pattern($1_nsplugin_config_t, nsplugin_home_t, nsplugin_home_t) -+ -+corecmd_exec_bin($1_nsplugin_config_t) -+corecmd_exec_shell($1_nsplugin_config_t) -+ -+kernel_read_system_state($1_nsplugin_config_t) -+ -+files_read_etc_files($1_nsplugin_config_t) -+files_read_usr_files($1_nsplugin_config_t) -+files_dontaudit_search_home($1_nsplugin_config_t) -+files_list_tmp($1_nsplugin_config_t) -+ -+auth_use_nsswitch($1_nsplugin_config_t) -+ -+libs_use_ld_so($1_nsplugin_config_t) -+libs_use_shared_libs($1_nsplugin_config_t) -+ -+miscfiles_read_localization($1_nsplugin_config_t) -+miscfiles_read_fonts($1_nsplugin_config_t) -+ -+userdom_search_all_users_home_content($1_nsplugin_config_t) -+ -+tunable_policy(`use_nfs_home_dirs',` -+ fs_manage_nfs_dirs($1_nsplugin_t) -+ fs_manage_nfs_files($1_nsplugin_t) -+ fs_manage_nfs_dirs($1_nsplugin_config_t) -+ fs_manage_nfs_files($1_nsplugin_config_t) -+') -+ -+tunable_policy(`use_samba_home_dirs',` -+ fs_manage_cifs_dirs($1_nsplugin_t) -+ fs_manage_cifs_files($1_nsplugin_t) -+ fs_manage_cifs_dirs($1_nsplugin_config_t) -+ fs_manage_cifs_files($1_nsplugin_config_t) -+') -+ -+domtrans_pattern($1_nsplugin_config_t, nsplugin_exec_t, $1_nsplugin_t) -+ -+optional_policy(` -+ xserver_read_home_fonts($1_nsplugin_config_t) -+') -+ -+optional_policy(` -+ mozilla_read_user_home_files(user, $1_nsplugin_config_t) -+') -+ -+ optional_policy(` -+ openoffice_plugin_per_role_template($1, $1_nsplugin_t) -+ ') ++ xserver_common_app($1, nsplugin_t) +') + +####################################### @@ -4642,12 +4560,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + gen_require(` + type nsplugin_exec_t; + type nsplugin_config_exec_t; ++ type nsplugin_t; ++ type nsplugin_config_t; + ') + + nsplugin_per_role_template_notrans($1, $2, $3) + -+ domtrans_pattern($2, nsplugin_exec_t, $1_nsplugin_t) -+ domtrans_pattern($2, nsplugin_config_exec_t, $1_nsplugin_config_t) ++ domtrans_pattern($2, nsplugin_exec_t, nsplugin_t) ++ domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t) +') + +####################################### @@ -4680,10 +4600,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +interface(`nsplugin_domtrans_user',` + gen_require(` + type nsplugin_exec_t; -+ type $1_nsplugin_t; ++ type nsplugin_t; + ') + -+ domtrans_pattern($2, nsplugin_exec_t, $1_nsplugin_t) ++ domtrans_pattern($2, nsplugin_exec_t, nsplugin_t) +') +####################################### +## @@ -4715,10 +4635,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +interface(`nsplugin_domtrans_user_config',` + gen_require(` + type nsplugin_config_exec_t; -+ type $1_nsplugin_config_t; ++ type nsplugin_config_t; + ') + -+ domtrans_pattern($2, nsplugin_config_exec_t, $1_nsplugin_config_t) ++ domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t) +') + +######################################## @@ -4776,8 +4696,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.5.8/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.8/policy/modules/apps/nsplugin.te 2008-09-17 19:06:31.000000000 -0400 -@@ -0,0 +1,36 @@ ++++ serefpolicy-3.5.8/policy/modules/apps/nsplugin.te 2008-09-22 14:52:12.000000000 -0400 +@@ -0,0 +1,234 @@ + +policy_module(nsplugin, 1.0.0) + @@ -4810,10 +4730,208 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +userdom_user_home_content(user, nsplugin_home_t) +typealias nsplugin_home_t alias user_nsplugin_home_t; + ++type nsplugin_t; ++domain_type(nsplugin_t) ++domain_entry_file(nsplugin_t, nsplugin_exec_t) ++ ++type nsplugin_config_t; ++domain_type(nsplugin_config_t) ++domain_entry_file(nsplugin_config_t, nsplugin_config_exec_t) ++ +application_executable_file(nsplugin_exec_t) +application_executable_file(nsplugin_config_exec_t) + + ++######################################## ++# ++# nsplugin local policy ++# ++dontaudit nsplugin_t self:capability sys_tty_config; ++allow nsplugin_t self:fifo_file rw_file_perms; ++allow nsplugin_t self:process { ptrace getsched setsched signal_perms }; ++ ++allow nsplugin_t self:sem create_sem_perms; ++allow nsplugin_t self:shm create_shm_perms; ++allow nsplugin_t self:msgq create_msgq_perms; ++allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms }; ++ ++tunable_policy(`allow_nsplugin_execmem',` ++ allow nsplugin_t self:process { execstack execmem }; ++ allow nsplugin_config_t self:process { execstack execmem }; ++') ++ ++manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) ++exec_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) ++manage_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) ++manage_lnk_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) ++userdom_user_home_dir_filetrans(user, nsplugin_t, nsplugin_home_t, {file dir}) ++unprivuser_dontaudit_write_home_content_files(nsplugin_t) ++ ++corecmd_exec_bin(nsplugin_t) ++corecmd_exec_shell(nsplugin_t) ++ ++corenet_all_recvfrom_unlabeled(nsplugin_t) ++corenet_all_recvfrom_netlabel(nsplugin_t) ++corenet_tcp_connect_flash_port(nsplugin_t) ++corenet_tcp_connect_pulseaudio_port(nsplugin_t) ++corenet_tcp_connect_http_port(nsplugin_t) ++corenet_tcp_sendrecv_generic_if(nsplugin_t) ++corenet_tcp_sendrecv_all_nodes(nsplugin_t) ++ ++domain_dontaudit_read_all_domains_state(nsplugin_t) ++ ++dev_read_rand(nsplugin_t) ++dev_read_sound(nsplugin_t) ++dev_write_sound(nsplugin_t) ++dev_read_video_dev(nsplugin_t) ++dev_write_video_dev(nsplugin_t) ++dev_getattr_dri_dev(nsplugin_t) ++dev_rwx_zero(nsplugin_t) ++ ++kernel_read_kernel_sysctls(nsplugin_t) ++kernel_read_system_state(nsplugin_t) ++ ++files_read_usr_files(nsplugin_t) ++files_read_etc_files(nsplugin_t) ++files_read_config_files(nsplugin_t) ++ ++fs_list_inotifyfs(nsplugin_t) ++fs_manage_tmpfs_files(nsplugin_t) ++fs_getattr_tmpfs(nsplugin_t) ++fs_getattr_xattr_fs(nsplugin_t) ++ ++term_dontaudit_getattr_all_user_ptys(nsplugin_t) ++term_dontaudit_getattr_all_user_ttys(nsplugin_t) ++ ++auth_use_nsswitch(nsplugin_t) ++ ++libs_use_ld_so(nsplugin_t) ++libs_use_shared_libs(nsplugin_t) ++libs_exec_ld_so(nsplugin_t) ++ ++miscfiles_read_localization(nsplugin_t) ++miscfiles_read_fonts(nsplugin_t) ++ ++unprivuser_manage_tmp_dirs(nsplugin_t) ++unprivuser_manage_tmp_files(nsplugin_t) ++unprivuser_manage_tmp_sockets(nsplugin_t) ++userdom_tmp_filetrans_user_tmp(user, nsplugin_t, { file dir sock_file }) ++unprivuser_read_tmpfs_files(nsplugin_t) ++unprivuser_rw_semaphores(nsplugin_t) ++unprivuser_delete_tmpfs_files(nsplugin_t) ++ ++unprivuser_read_home_content_symlinks(nsplugin_t) ++unprivuser_read_home_content_files(nsplugin_t) ++unprivuser_read_tmp_files(nsplugin_t) ++userdom_write_user_tmp_sockets(user, nsplugin_t) ++unprivuser_dontaudit_append_home_content_files(nsplugin_t) ++userdom_dontaudit_unlink_unpriv_home_content_files(nsplugin_t) ++userdom_dontaudit_manage_user_tmp_files(user, nsplugin_t) ++ ++optional_policy(` ++ alsa_read_rw_config(nsplugin_t) ++') ++ ++optional_policy(` ++ gnome_exec_gconf(nsplugin_t) ++ gnome_manage_user_gnome_config(user, nsplugin_t) ++ allow nsplugin_t gnome_home_t:sock_file write; ++') ++ ++optional_policy(` ++ mozilla_read_user_home_files(user, nsplugin_t) ++ mozilla_write_user_home_files(user, nsplugin_t) ++') ++ ++optional_policy(` ++ mplayer_exec(nsplugin_t) ++ mplayer_read_user_home_files(user, nsplugin_t) ++') ++ ++optional_policy(` ++ unconfined_execmem_signull(nsplugin_t) ++ unconfined_delete_tmpfs_files(nsplugin_t) ++') ++ ++optional_policy(` ++ xserver_stream_connect_xdm_xserver(nsplugin_t) ++ xserver_xdm_rw_shm(nsplugin_t) ++ xserver_read_xdm_tmp_files(nsplugin_t) ++ xserver_read_xdm_pid(nsplugin_t) ++ xserver_read_user_xauth(user, nsplugin_t) ++ xserver_read_user_iceauth(user, nsplugin_t) ++ xserver_use_user_fonts(user, nsplugin_t) ++ xserver_manage_home_fonts(nsplugin_t) ++ xserver_dontaudit_rw_xdm_home_files(nsplugin_t) ++') ++ ++######################################## ++# ++# nsplugin_config local policy ++# ++ ++allow nsplugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid }; ++allow nsplugin_config_t self:process { setsched sigkill getsched execmem }; ++#execing pulseaudio ++dontaudit nsplugin_t self:process { getcap setcap }; ++ ++allow nsplugin_config_t self:fifo_file rw_file_perms; ++allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms; ++ ++fs_list_inotifyfs(nsplugin_config_t) ++ ++can_exec(nsplugin_config_t, nsplugin_rw_t) ++manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) ++manage_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) ++manage_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) ++ ++manage_dirs_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t) ++manage_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t) ++manage_lnk_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t) ++ ++corecmd_exec_bin(nsplugin_config_t) ++corecmd_exec_shell(nsplugin_config_t) ++ ++kernel_read_system_state(nsplugin_config_t) ++ ++files_read_etc_files(nsplugin_config_t) ++files_read_usr_files(nsplugin_config_t) ++files_dontaudit_search_home(nsplugin_config_t) ++files_list_tmp(nsplugin_config_t) ++ ++auth_use_nsswitch(nsplugin_config_t) ++ ++libs_use_ld_so(nsplugin_config_t) ++libs_use_shared_libs(nsplugin_config_t) ++ ++miscfiles_read_localization(nsplugin_config_t) ++miscfiles_read_fonts(nsplugin_config_t) ++ ++userdom_search_all_users_home_content(nsplugin_config_t) ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_manage_nfs_dirs(nsplugin_t) ++ fs_manage_nfs_files(nsplugin_t) ++ fs_manage_nfs_dirs(nsplugin_config_t) ++ fs_manage_nfs_files(nsplugin_config_t) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_manage_cifs_dirs(nsplugin_t) ++ fs_manage_cifs_files(nsplugin_t) ++ fs_manage_cifs_dirs(nsplugin_config_t) ++ fs_manage_cifs_files(nsplugin_config_t) ++') ++ ++domtrans_pattern(nsplugin_config_t, nsplugin_exec_t, nsplugin_t) ++ ++optional_policy(` ++ xserver_read_home_fonts(nsplugin_config_t) ++') ++ ++optional_policy(` ++ mozilla_read_user_home_files(user, nsplugin_config_t) ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.5.8/policy/modules/apps/openoffice.fc --- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.5.8/policy/modules/apps/openoffice.fc 2008-09-17 08:49:08.000000000 -0400 @@ -8292,7 +8410,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.5.8/policy/modules/kernel/storage.fc --- nsaserefpolicy/policy/modules/kernel/storage.fc 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.8/policy/modules/kernel/storage.fc 2008-09-22 12:22:40.000000000 -0400 ++++ serefpolicy-3.5.8/policy/modules/kernel/storage.fc 2008-09-22 15:56:42.000000000 -0400 @@ -27,6 +27,7 @@ /dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0) /dev/megadev.* -c gen_context(system_u:object_r:removable_device_t,s0) @@ -8301,14 +8419,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0) -@@ -65,6 +66,7 @@ - - /dev/md/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - /dev/mapper/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -+/dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0) - - /dev/raw/raw[0-9]+ -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.fc serefpolicy-3.5.8/policy/modules/roles/guest.fc --- nsaserefpolicy/policy/modules/roles/guest.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.5.8/policy/modules/roles/guest.fc 2008-09-17 08:49:08.000000000 -0400 @@ -13976,7 +14086,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.5.8/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2008-09-03 07:59:15.000000000 -0400 -+++ serefpolicy-3.5.8/policy/modules/services/cups.te 2008-09-17 08:49:08.000000000 -0400 ++++ serefpolicy-3.5.8/policy/modules/services/cups.te 2008-09-22 14:18:53.000000000 -0400 @@ -48,6 +48,10 @@ type hplip_t; type hplip_exec_t; @@ -14058,7 +14168,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow cupsd_t hplip_var_run_t:file { read getattr }; stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) -@@ -149,44 +174,48 @@ +@@ -149,44 +174,49 @@ corenet_tcp_bind_reserved_port(cupsd_t) corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) corenet_tcp_connect_all_ports(cupsd_t) @@ -14072,6 +14182,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_urand(cupsd_t) dev_read_sysfs(cupsd_t) -dev_read_usbfs(cupsd_t) ++dev_rw_input_dev(cupsd_t) #447878 +dev_rw_generic_usb_dev(cupsd_t) +dev_rw_usbfs(cupsd_t) dev_getattr_printer_dev(cupsd_t) @@ -14112,7 +14223,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_list_world_readable(cupsd_t) files_read_world_readable_files(cupsd_t) files_read_world_readable_symlinks(cupsd_t) -@@ -195,15 +224,16 @@ +@@ -195,15 +225,16 @@ files_read_var_symlinks(cupsd_t) # for /etc/printcap files_dontaudit_write_etc_files(cupsd_t) @@ -14133,7 +14244,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(cupsd_t) libs_use_ld_so(cupsd_t) -@@ -219,17 +249,22 @@ +@@ -219,17 +250,22 @@ miscfiles_read_fonts(cupsd_t) seutil_read_config(cupsd_t) @@ -14158,7 +14269,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -246,8 +281,16 @@ +@@ -246,8 +282,16 @@ userdom_dbus_send_all_users(cupsd_t) optional_policy(` @@ -14175,7 +14286,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -263,6 +306,10 @@ +@@ -263,6 +307,10 @@ ') optional_policy(` @@ -14186,7 +14297,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cups execs smbtool which reads samba_etc_t files samba_read_config(cupsd_t) samba_rw_var_files(cupsd_t) -@@ -281,7 +328,7 @@ +@@ -281,7 +329,7 @@ # Cups configuration daemon local policy # @@ -14195,7 +14306,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit cupsd_config_t self:capability sys_tty_config; allow cupsd_config_t self:process signal_perms; allow cupsd_config_t self:fifo_file rw_fifo_file_perms; -@@ -326,6 +373,7 @@ +@@ -326,6 +374,7 @@ dev_read_sysfs(cupsd_config_t) dev_read_urand(cupsd_config_t) dev_read_rand(cupsd_config_t) @@ -14203,7 +14314,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(cupsd_config_t) fs_search_auto_mountpoints(cupsd_config_t) -@@ -343,7 +391,7 @@ +@@ -343,7 +392,7 @@ files_read_var_symlinks(cupsd_config_t) # Alternatives asks for this @@ -14212,7 +14323,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(cupsd_config_t) -@@ -353,6 +401,7 @@ +@@ -353,6 +402,7 @@ logging_send_syslog_msg(cupsd_config_t) miscfiles_read_localization(cupsd_config_t) @@ -14220,7 +14331,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_dontaudit_search_config(cupsd_config_t) -@@ -365,14 +414,16 @@ +@@ -365,14 +415,16 @@ sysadm_dontaudit_search_home_dirs(cupsd_config_t) ifdef(`distro_redhat',` @@ -14239,7 +14350,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cron_system_entry(cupsd_config_t, cupsd_config_exec_t) ') -@@ -388,6 +439,7 @@ +@@ -388,6 +440,7 @@ optional_policy(` hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) @@ -14247,7 +14358,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -500,7 +552,7 @@ +@@ -500,7 +553,7 @@ allow hplip_t self:udp_socket create_socket_perms; allow hplip_t self:rawip_socket create_socket_perms; @@ -14256,7 +14367,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cups_stream_connect(hplip_t) -@@ -509,6 +561,8 @@ +@@ -509,6 +562,8 @@ read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) files_search_etc(hplip_t) @@ -14265,7 +14376,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) files_pid_filetrans(hplip_t, hplip_var_run_t, file) -@@ -538,7 +592,8 @@ +@@ -538,7 +593,8 @@ dev_read_urand(hplip_t) dev_read_rand(hplip_t) dev_rw_generic_usb_dev(hplip_t) @@ -14275,7 +14386,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(hplip_t) fs_search_auto_mountpoints(hplip_t) -@@ -564,12 +619,14 @@ +@@ -564,12 +620,14 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t) userdom_dontaudit_search_all_users_home_content(hplip_t) @@ -14291,7 +14402,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -651,3 +708,45 @@ +@@ -651,3 +709,45 @@ optional_policy(` udev_read_db(ptal_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index e8bd1923..c14f3cc3 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.5.8 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -381,6 +381,9 @@ exit 0 %endif %changelog +* Mon Sep 22 2008 Dan Walsh 3.5.8-6 +- Fix transition to nsplugin + * Mon Sep 22 2008 Dan Walsh 3.5.8-5 - Add file context for /dev/mspblk.*