- Fix transition to nsplugin

This commit is contained in:
Daniel J Walsh 2008-09-22 20:07:59 +00:00
parent f0375d509e
commit d86efe56b9
2 changed files with 391 additions and 277 deletions

View File

@ -79,13 +79,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rul
$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.5.8/config/appconfig-mcs/default_contexts
--- nsaserefpolicy/config/appconfig-mcs/default_contexts 2008-08-07 11:15:14.000000000 -0400
+++ serefpolicy-3.5.8/config/appconfig-mcs/default_contexts 2008-09-17 08:49:08.000000000 -0400
@@ -1,15 +0,0 @@
+++ serefpolicy-3.5.8/config/appconfig-mcs/default_contexts 2008-09-22 15:25:07.000000000 -0400
@@ -1,15 +1,6 @@
-system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0
-system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
-system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
-system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
-system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
+system_r:crond_t:s0 system_r:system_crond_t:s0
+system_r:local_login_t:s0 user_r:user_t:s0
+system_r:remote_login_t:s0 user_r:user_t:s0
+system_r:sshd_t:s0 user_r:user_t:s0
system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
-system_r:xdm_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
-
-staff_r:staff_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
@ -96,6 +100,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
-
-user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
+system_r:xdm_t:s0 user_r:user_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.5.8/config/appconfig-mcs/failsafe_context
--- nsaserefpolicy/config/appconfig-mcs/failsafe_context 2008-08-07 11:15:14.000000000 -0400
+++ serefpolicy-3.5.8/config/appconfig-mcs/failsafe_context 2008-09-17 08:49:08.000000000 -0400
@ -104,19 +109,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
+system_r:unconfined_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts serefpolicy-3.5.8/config/appconfig-mcs/guest_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.8/config/appconfig-mcs/guest_u_default_contexts 2008-09-17 08:49:08.000000000 -0400
+++ serefpolicy-3.5.8/config/appconfig-mcs/guest_u_default_contexts 2008-09-22 15:33:55.000000000 -0400
@@ -0,0 +1,6 @@
+system_r:local_login_t:s0 guest_r:guest_t:s0
+system_r:remote_login_t:s0 guest_r:guest_t:s0
+system_r:sshd_t:s0 guest_r:guest_t:s0
+system_r:crond_t:s0 guest_r:guest_crond_t:s0
+system_r:crond_t:s0 guest_r:guest_t:s0
+system_r:initrc_su_t:s0 guest_r:guest_t:s0
+guest_r:guest_t:s0 guest_r:guest_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.5.8/config/appconfig-mcs/root_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/root_default_contexts 2008-08-07 11:15:14.000000000 -0400
+++ serefpolicy-3.5.8/config/appconfig-mcs/root_default_contexts 2008-09-17 08:49:08.000000000 -0400
+++ serefpolicy-3.5.8/config/appconfig-mcs/root_default_contexts 2008-09-22 15:36:05.000000000 -0400
@@ -1,11 +1,7 @@
system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
-system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
+system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
@ -130,8 +136,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
+system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts serefpolicy-3.5.8/config/appconfig-mcs/staff_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts 2008-08-07 11:15:14.000000000 -0400
+++ serefpolicy-3.5.8/config/appconfig-mcs/staff_u_default_contexts 2008-09-17 08:49:08.000000000 -0400
@@ -5,6 +5,8 @@
+++ serefpolicy-3.5.8/config/appconfig-mcs/staff_u_default_contexts 2008-09-22 15:33:36.000000000 -0400
@@ -1,10 +1,12 @@
system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
system_r:remote_login_t:s0 staff_r:staff_t:s0
system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-system_r:crond_t:s0 staff_r:staff_crond_t:s0
+system_r:crond_t:s0 staff_r:staff_t:s0
system_r:xdm_t:s0 staff_r:staff_t:s0
staff_r:staff_su_t:s0 staff_r:staff_t:s0
staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
@ -152,8 +163,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
system_r:xdm_t:s0 unconfined_r:unconfined_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.5.8/config/appconfig-mcs/user_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts 2008-08-07 11:15:14.000000000 -0400
+++ serefpolicy-3.5.8/config/appconfig-mcs/user_u_default_contexts 2008-09-17 08:49:08.000000000 -0400
@@ -5,4 +5,5 @@
+++ serefpolicy-3.5.8/config/appconfig-mcs/user_u_default_contexts 2008-09-22 15:33:49.000000000 -0400
@@ -1,8 +1,9 @@
system_r:local_login_t:s0 user_r:user_t:s0
system_r:remote_login_t:s0 user_r:user_t:s0
system_r:sshd_t:s0 user_r:user_t:s0
-system_r:crond_t:s0 user_r:user_crond_t:s0
+system_r:crond_t:s0 user_r:user_t:s0
system_r:xdm_t:s0 user_r:user_t:s0
user_r:user_su_t:s0 user_r:user_t:s0
user_r:user_sudo_t:s0 user_r:user_t:s0
@ -168,23 +184,103 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
+system_u:system_r:unconfined_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.5.8/config/appconfig-mcs/xguest_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.8/config/appconfig-mcs/xguest_u_default_contexts 2008-09-17 08:49:08.000000000 -0400
+++ serefpolicy-3.5.8/config/appconfig-mcs/xguest_u_default_contexts 2008-09-22 15:34:01.000000000 -0400
@@ -0,0 +1,7 @@
+system_r:local_login_t xguest_r:xguest_t:s0
+system_r:remote_login_t xguest_r:xguest_t:s0
+system_r:sshd_t xguest_r:xguest_t:s0
+system_r:crond_t xguest_r:xguest_crond_t:s0
+system_r:crond_t xguest_r:xguest_t:s0
+system_r:xdm_t xguest_r:xguest_t:s0
+system_r:initrc_su_t:s0 xguest_r:xguest_t:s0
+xguest_r:xguest_t:s0 xguest_r:xguest_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default_contexts serefpolicy-3.5.8/config/appconfig-mls/default_contexts
--- nsaserefpolicy/config/appconfig-mls/default_contexts 2008-08-07 11:15:14.000000000 -0400
+++ serefpolicy-3.5.8/config/appconfig-mls/default_contexts 2008-09-22 15:37:18.000000000 -0400
@@ -1,15 +1,6 @@
-system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0
-system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
-system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
-system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+system_r:crond_t:s0 system_r:system_crond_t:s0
+system_r:local_login_t:s0 user_r:user_t:s0
+system_r:remote_login_t:s0 user_r:user_t:s0
+system_r:sshd_t:s0 user_r:user_t:s0
system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
-system_r:xdm_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
-
-staff_r:staff_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
-
-sysadm_r:sysadm_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
-
-user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
+system_r:xdm_t:s0 user_r:user_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts serefpolicy-3.5.8/config/appconfig-mls/guest_u_default_contexts
--- nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.8/config/appconfig-mls/guest_u_default_contexts 2008-09-17 08:49:08.000000000 -0400
+++ serefpolicy-3.5.8/config/appconfig-mls/guest_u_default_contexts 2008-09-22 15:34:31.000000000 -0400
@@ -0,0 +1,4 @@
+system_r:local_login_t:s0 guest_r:guest_t:s0
+system_r:remote_login_t:s0 guest_r:guest_t:s0
+system_r:sshd_t:s0 guest_r:guest_t:s0
+system_r:crond_t:s0 guest_r:guest_crond_t:s0
+system_r:crond_t:s0 guest_r:guest_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/root_default_contexts serefpolicy-3.5.8/config/appconfig-mls/root_default_contexts
--- nsaserefpolicy/config/appconfig-mls/root_default_contexts 2008-08-07 11:15:14.000000000 -0400
+++ serefpolicy-3.5.8/config/appconfig-mls/root_default_contexts 2008-09-22 15:47:13.000000000 -0400
@@ -1,11 +1,11 @@
-system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
-system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+system_r:crond_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
+system_r:local_login_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
-staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-sysadm_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-user_r:user_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+staff_r:staff_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
+sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
+user_r:user_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
#
# Uncomment if you want to automatically login as sysadm_r
#
-#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/staff_u_default_contexts serefpolicy-3.5.8/config/appconfig-mls/staff_u_default_contexts
--- nsaserefpolicy/config/appconfig-mls/staff_u_default_contexts 2008-08-07 11:15:14.000000000 -0400
+++ serefpolicy-3.5.8/config/appconfig-mls/staff_u_default_contexts 2008-09-22 15:34:13.000000000 -0400
@@ -1,7 +1,7 @@
system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
system_r:remote_login_t:s0 staff_r:staff_t:s0
system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-system_r:crond_t:s0 staff_r:staff_crond_t:s0
+system_r:crond_t:s0 staff_r:staff_t:s0
system_r:xdm_t:s0 staff_r:staff_t:s0
staff_r:staff_su_t:s0 staff_r:staff_t:s0
staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/user_u_default_contexts serefpolicy-3.5.8/config/appconfig-mls/user_u_default_contexts
--- nsaserefpolicy/config/appconfig-mls/user_u_default_contexts 2008-08-07 11:15:14.000000000 -0400
+++ serefpolicy-3.5.8/config/appconfig-mls/user_u_default_contexts 2008-09-22 15:34:21.000000000 -0400
@@ -1,7 +1,7 @@
system_r:local_login_t:s0 user_r:user_t:s0
system_r:remote_login_t:s0 user_r:user_t:s0
system_r:sshd_t:s0 user_r:user_t:s0
-system_r:crond_t:s0 user_r:user_crond_t:s0
+system_r:crond_t:s0 user_r:user_t:s0
system_r:xdm_t:s0 user_r:user_t:s0
user_r:user_su_t:s0 user_r:user_t:s0
user_r:user_sudo_t:s0 user_r:user_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/xguest_u_default_contexts serefpolicy-3.5.8/config/appconfig-mls/xguest_u_default_contexts
--- nsaserefpolicy/config/appconfig-mls/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.8/config/appconfig-mls/xguest_u_default_contexts 2008-09-22 15:37:37.000000000 -0400
@@ -0,0 +1,7 @@
+system_r:local_login_t xguest_r:xguest_t:s0
+system_r:remote_login_t xguest_r:xguest_t:s0
+system_r:sshd_t xguest_r:xguest_t:s0
+system_r:crond_t xguest_r:xguest_t:s0
+system_r:xdm_t xguest_r:xguest_t:s0
+system_r:initrc_su_t:s0 xguest_r:xguest_t:s0
+xguest_r:xguest_t:s0 xguest_r:xguest_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts serefpolicy-3.5.8/config/appconfig-standard/guest_u_default_contexts
--- nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.8/config/appconfig-standard/guest_u_default_contexts 2008-09-17 08:49:08.000000000 -0400
@ -209,6 +305,30 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
#
-#system_r:sshd_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+system_r:sshd_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/staff_u_default_contexts serefpolicy-3.5.8/config/appconfig-standard/staff_u_default_contexts
--- nsaserefpolicy/config/appconfig-standard/staff_u_default_contexts 2008-08-07 11:15:14.000000000 -0400
+++ serefpolicy-3.5.8/config/appconfig-standard/staff_u_default_contexts 2008-09-22 15:34:45.000000000 -0400
@@ -1,7 +1,7 @@
system_r:local_login_t staff_r:staff_t sysadm_r:sysadm_t
system_r:remote_login_t staff_r:staff_t
system_r:sshd_t staff_r:staff_t sysadm_r:sysadm_t
-system_r:crond_t staff_r:staff_crond_t
+system_r:crond_t staff_r:staff_t
system_r:xdm_t staff_r:staff_t
staff_r:staff_su_t staff_r:staff_t
staff_r:staff_sudo_t staff_r:staff_t
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/user_u_default_contexts serefpolicy-3.5.8/config/appconfig-standard/user_u_default_contexts
--- nsaserefpolicy/config/appconfig-standard/user_u_default_contexts 2008-08-07 11:15:14.000000000 -0400
+++ serefpolicy-3.5.8/config/appconfig-standard/user_u_default_contexts 2008-09-22 15:34:52.000000000 -0400
@@ -1,7 +1,7 @@
system_r:local_login_t user_r:user_t
system_r:remote_login_t user_r:user_t
system_r:sshd_t user_r:user_t
-system_r:crond_t user_r:user_crond_t
+system_r:crond_t user_r:user_t
system_r:xdm_t user_r:user_t
user_r:user_su_t user_r:user_t
user_r:user_sudo_t user_r:user_t
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts serefpolicy-3.5.8/config/appconfig-standard/xguest_u_default_contexts
--- nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.8/config/appconfig-standard/xguest_u_default_contexts 2008-09-17 08:49:08.000000000 -0400
@ -4279,8 +4399,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:nsplugin_home_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.5.8/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.8/policy/modules/apps/nsplugin.if 2008-09-21 07:27:44.000000000 -0400
@@ -0,0 +1,493 @@
+++ serefpolicy-3.5.8/policy/modules/apps/nsplugin.if 2008-09-22 15:35:16.000000000 -0400
@@ -0,0 +1,293 @@
+
+## <summary>policy for nsplugin</summary>
+
@ -4363,247 +4483,45 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ type nsplugin_exec_t;
+ type nsplugin_config_exec_t;
+ type $1_tmpfs_t;
+ type nsplugin_t;
+ type nsplugin_config_t;
+ ')
+ type $1_nsplugin_t;
+ domain_type($1_nsplugin_t)
+ domain_entry_file($1_nsplugin_t, nsplugin_exec_t)
+ role $3 types $1_nsplugin_t;
+
+ type $1_nsplugin_config_t;
+ domain_type($1_nsplugin_config_t)
+ domain_entry_file($1_nsplugin_config_t, nsplugin_config_exec_t)
+ role $3 types $1_nsplugin_config_t;
+ role $3 types nsplugin_t;
+ role $3 types nsplugin_config_t;
+
+ role $3 types $1_nsplugin_t;
+ role $3 types $1_nsplugin_config_t;
+
+ allow $1_nsplugin_t $2:process signull;
+ allow nsplugin_t $2:process signull;
+
+ list_dirs_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
+ read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
+ read_lnk_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
+ can_exec($2, nsplugin_rw_t)
+
+ allow $1_nsplugin_t $1_tmpfs_t:file { read getattr };
+
+ #Leaked File Descriptors
+ dontaudit $1_nsplugin_t $2:tcp_socket rw_socket_perms;
+ dontaudit $1_nsplugin_t $2:udp_socket rw_socket_perms;
+ dontaudit $1_nsplugin_t $2:unix_stream_socket rw_socket_perms;
+ dontaudit $1_nsplugin_t $2:unix_dgram_socket rw_socket_perms;
+ dontaudit $1_nsplugin_config_t $2:tcp_socket rw_socket_perms;
+ dontaudit $1_nsplugin_config_t $2:udp_socket rw_socket_perms;
+ dontaudit $1_nsplugin_config_t $2:unix_stream_socket rw_socket_perms;
+ dontaudit $1_nsplugin_config_t $2:unix_dgram_socket rw_socket_perms;
+ allow $1_nsplugin_t $2:unix_stream_socket connectto;
+ dontaudit $1_nsplugin_t $2:process ptrace;
+ dontaudit nsplugin_t $2:tcp_socket rw_socket_perms;
+ dontaudit nsplugin_t $2:udp_socket rw_socket_perms;
+ dontaudit nsplugin_t $2:unix_stream_socket rw_socket_perms;
+ dontaudit nsplugin_t $2:unix_dgram_socket rw_socket_perms;
+ dontaudit nsplugin_config_t $2:tcp_socket rw_socket_perms;
+ dontaudit nsplugin_config_t $2:udp_socket rw_socket_perms;
+ dontaudit nsplugin_config_t $2:unix_stream_socket rw_socket_perms;
+ dontaudit nsplugin_config_t $2:unix_dgram_socket rw_socket_perms;
+ allow nsplugin_t $2:unix_stream_socket connectto;
+ dontaudit nsplugin_t $2:process ptrace;
+
+ allow $2 $1_nsplugin_t:process { getattr ptrace signal_perms };
+ allow $2 $1_nsplugin_t:unix_stream_socket connectto;
+ allow $2 nsplugin_t:process { getattr ptrace signal_perms };
+ allow $2 nsplugin_t:unix_stream_socket connectto;
+
+ # Connect to pulseaudit server
+ stream_connect_pattern($1_nsplugin_t, user_home_t, user_home_t, $2)
+ gnome_stream_connect($1_nsplugin_t, $2)
+ stream_connect_pattern(nsplugin_t, user_home_t, user_home_t, $2)
+ gnome_stream_connect(nsplugin_t, $2)
+
+ userdom_use_user_terminals($1, $1_nsplugin_t)
+ userdom_use_user_terminals($1, $1_nsplugin_config_t)
+ allow nsplugin_t $1_tmpfs_t:file { read getattr };
+
+ xserver_common_app($1, $1_nsplugin_t)
+ userdom_use_user_terminals($1, nsplugin_t)
+ userdom_use_user_terminals($1, nsplugin_config_t)
+
+########################################
+#
+# nsplugin local policy
+#
+dontaudit $1_nsplugin_t self:capability sys_tty_config;
+allow $1_nsplugin_t self:fifo_file rw_file_perms;
+allow $1_nsplugin_t self:process { ptrace getsched setsched signal_perms };
+
+allow $1_nsplugin_t self:sem create_sem_perms;
+allow $1_nsplugin_t self:shm create_shm_perms;
+allow $1_nsplugin_t self:msgq create_msgq_perms;
+allow $1_nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
+
+tunable_policy(`allow_nsplugin_execmem',`
+ allow $1_nsplugin_t self:process { execstack execmem };
+ allow $1_nsplugin_config_t self:process { execstack execmem };
+')
+
+manage_dirs_pattern($1_nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+exec_files_pattern($1_nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_files_pattern($1_nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_lnk_files_pattern($1_nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+userdom_user_home_dir_filetrans(user, $1_nsplugin_t, nsplugin_home_t, {file dir})
+unprivuser_dontaudit_write_home_content_files($1_nsplugin_t)
+
+corecmd_exec_bin($1_nsplugin_t)
+corecmd_exec_shell($1_nsplugin_t)
+
+corenet_all_recvfrom_unlabeled($1_nsplugin_t)
+corenet_all_recvfrom_netlabel($1_nsplugin_t)
+corenet_tcp_connect_flash_port($1_nsplugin_t)
+corenet_tcp_connect_pulseaudio_port($1_nsplugin_t)
+corenet_tcp_connect_http_port($1_nsplugin_t)
+corenet_tcp_sendrecv_generic_if($1_nsplugin_t)
+corenet_tcp_sendrecv_all_nodes($1_nsplugin_t)
+
+domain_dontaudit_read_all_domains_state($1_nsplugin_t)
+
+dev_read_rand($1_nsplugin_t)
+dev_read_sound($1_nsplugin_t)
+dev_write_sound($1_nsplugin_t)
+dev_read_video_dev($1_nsplugin_t)
+dev_write_video_dev($1_nsplugin_t)
+dev_getattr_dri_dev($1_nsplugin_t)
+dev_rwx_zero($1_nsplugin_t)
+
+kernel_read_kernel_sysctls($1_nsplugin_t)
+kernel_read_system_state($1_nsplugin_t)
+
+files_read_usr_files($1_nsplugin_t)
+files_read_etc_files($1_nsplugin_t)
+files_read_config_files($1_nsplugin_t)
+
+fs_list_inotifyfs($1_nsplugin_t)
+fs_manage_tmpfs_files($1_nsplugin_t)
+fs_getattr_tmpfs($1_nsplugin_t)
+fs_getattr_xattr_fs($1_nsplugin_t)
+
+term_dontaudit_getattr_all_user_ptys($1_nsplugin_t)
+term_dontaudit_getattr_all_user_ttys($1_nsplugin_t)
+
+auth_use_nsswitch($1_nsplugin_t)
+
+libs_use_ld_so($1_nsplugin_t)
+libs_use_shared_libs($1_nsplugin_t)
+libs_exec_ld_so($1_nsplugin_t)
+
+miscfiles_read_localization($1_nsplugin_t)
+miscfiles_read_fonts($1_nsplugin_t)
+
+unprivuser_manage_tmp_dirs($1_nsplugin_t)
+unprivuser_manage_tmp_files($1_nsplugin_t)
+unprivuser_manage_tmp_sockets($1_nsplugin_t)
+userdom_tmp_filetrans_user_tmp(user, $1_nsplugin_t, { file dir sock_file })
+unprivuser_read_tmpfs_files($1_nsplugin_t)
+unprivuser_rw_semaphores($1_nsplugin_t)
+unprivuser_delete_tmpfs_files($1_nsplugin_t)
+
+unprivuser_read_home_content_symlinks($1_nsplugin_t)
+unprivuser_read_home_content_files($1_nsplugin_t)
+unprivuser_read_tmp_files($1_nsplugin_t)
+userdom_write_user_tmp_sockets(user, $1_nsplugin_t)
+unprivuser_dontaudit_append_home_content_files($1_nsplugin_t)
+userdom_dontaudit_unlink_unpriv_home_content_files($1_nsplugin_t)
+userdom_dontaudit_manage_user_tmp_files(user, $1_nsplugin_t)
+
+optional_policy(`
+ alsa_read_rw_config($1_nsplugin_t)
+')
+
+optional_policy(`
+ gnome_exec_gconf($1_nsplugin_t)
+ gnome_manage_user_gnome_config(user, $1_nsplugin_t)
+ allow $1_nsplugin_t gnome_home_t:sock_file write;
+')
+
+optional_policy(`
+ mozilla_read_user_home_files(user, $1_nsplugin_t)
+ mozilla_write_user_home_files(user, $1_nsplugin_t)
+')
+
+optional_policy(`
+ mplayer_exec($1_nsplugin_t)
+ mplayer_read_user_home_files(user, $1_nsplugin_t)
+')
+
+optional_policy(`
+ unconfined_execmem_signull($1_nsplugin_t)
+ unconfined_delete_tmpfs_files($1_nsplugin_t)
+')
+
+optional_policy(`
+ xserver_stream_connect_xdm_xserver($1_nsplugin_t)
+ xserver_xdm_rw_shm($1_nsplugin_t)
+ xserver_read_xdm_tmp_files($1_nsplugin_t)
+ xserver_read_xdm_pid($1_nsplugin_t)
+ xserver_read_user_xauth(user, $1_nsplugin_t)
+ xserver_read_user_iceauth(user, $1_nsplugin_t)
+ xserver_use_user_fonts(user, $1_nsplugin_t)
+ xserver_manage_home_fonts($1_nsplugin_t)
+ xserver_dontaudit_rw_xdm_home_files($1_nsplugin_t)
+')
+
+########################################
+#
+# $1_nsplugin_config local policy
+#
+
+allow $1_nsplugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
+allow $1_nsplugin_config_t self:process { setsched sigkill getsched execmem };
+#execing pulseaudio
+dontaudit $1_nsplugin_t self:process { getcap setcap };
+
+allow $1_nsplugin_config_t self:fifo_file rw_file_perms;
+allow $1_nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
+
+fs_list_inotifyfs($1_nsplugin_config_t)
+
+can_exec($1_nsplugin_config_t, nsplugin_rw_t)
+manage_dirs_pattern($1_nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+manage_files_pattern($1_nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+manage_lnk_files_pattern($1_nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+
+manage_dirs_pattern($1_nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
+manage_files_pattern($1_nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
+manage_lnk_files_pattern($1_nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
+
+corecmd_exec_bin($1_nsplugin_config_t)
+corecmd_exec_shell($1_nsplugin_config_t)
+
+kernel_read_system_state($1_nsplugin_config_t)
+
+files_read_etc_files($1_nsplugin_config_t)
+files_read_usr_files($1_nsplugin_config_t)
+files_dontaudit_search_home($1_nsplugin_config_t)
+files_list_tmp($1_nsplugin_config_t)
+
+auth_use_nsswitch($1_nsplugin_config_t)
+
+libs_use_ld_so($1_nsplugin_config_t)
+libs_use_shared_libs($1_nsplugin_config_t)
+
+miscfiles_read_localization($1_nsplugin_config_t)
+miscfiles_read_fonts($1_nsplugin_config_t)
+
+userdom_search_all_users_home_content($1_nsplugin_config_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs($1_nsplugin_t)
+ fs_manage_nfs_files($1_nsplugin_t)
+ fs_manage_nfs_dirs($1_nsplugin_config_t)
+ fs_manage_nfs_files($1_nsplugin_config_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs($1_nsplugin_t)
+ fs_manage_cifs_files($1_nsplugin_t)
+ fs_manage_cifs_dirs($1_nsplugin_config_t)
+ fs_manage_cifs_files($1_nsplugin_config_t)
+')
+
+domtrans_pattern($1_nsplugin_config_t, nsplugin_exec_t, $1_nsplugin_t)
+
+optional_policy(`
+ xserver_read_home_fonts($1_nsplugin_config_t)
+')
+
+optional_policy(`
+ mozilla_read_user_home_files(user, $1_nsplugin_config_t)
+')
+
+ optional_policy(`
+ openoffice_plugin_per_role_template($1, $1_nsplugin_t)
+ ')
+ xserver_common_app($1, nsplugin_t)
+')
+
+#######################################
@ -4642,12 +4560,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ gen_require(`
+ type nsplugin_exec_t;
+ type nsplugin_config_exec_t;
+ type nsplugin_t;
+ type nsplugin_config_t;
+ ')
+
+ nsplugin_per_role_template_notrans($1, $2, $3)
+
+ domtrans_pattern($2, nsplugin_exec_t, $1_nsplugin_t)
+ domtrans_pattern($2, nsplugin_config_exec_t, $1_nsplugin_config_t)
+ domtrans_pattern($2, nsplugin_exec_t, nsplugin_t)
+ domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t)
+')
+
+#######################################
@ -4680,10 +4600,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+interface(`nsplugin_domtrans_user',`
+ gen_require(`
+ type nsplugin_exec_t;
+ type $1_nsplugin_t;
+ type nsplugin_t;
+ ')
+
+ domtrans_pattern($2, nsplugin_exec_t, $1_nsplugin_t)
+ domtrans_pattern($2, nsplugin_exec_t, nsplugin_t)
+')
+#######################################
+## <summary>
@ -4715,10 +4635,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+interface(`nsplugin_domtrans_user_config',`
+ gen_require(`
+ type nsplugin_config_exec_t;
+ type $1_nsplugin_config_t;
+ type nsplugin_config_t;
+ ')
+
+ domtrans_pattern($2, nsplugin_config_exec_t, $1_nsplugin_config_t)
+ domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t)
+')
+
+########################################
@ -4776,8 +4696,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.5.8/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.8/policy/modules/apps/nsplugin.te 2008-09-17 19:06:31.000000000 -0400
@@ -0,0 +1,36 @@
+++ serefpolicy-3.5.8/policy/modules/apps/nsplugin.te 2008-09-22 14:52:12.000000000 -0400
@@ -0,0 +1,234 @@
+
+policy_module(nsplugin, 1.0.0)
+
@ -4810,10 +4730,208 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+userdom_user_home_content(user, nsplugin_home_t)
+typealias nsplugin_home_t alias user_nsplugin_home_t;
+
+type nsplugin_t;
+domain_type(nsplugin_t)
+domain_entry_file(nsplugin_t, nsplugin_exec_t)
+
+type nsplugin_config_t;
+domain_type(nsplugin_config_t)
+domain_entry_file(nsplugin_config_t, nsplugin_config_exec_t)
+
+application_executable_file(nsplugin_exec_t)
+application_executable_file(nsplugin_config_exec_t)
+
+
+########################################
+#
+# nsplugin local policy
+#
+dontaudit nsplugin_t self:capability sys_tty_config;
+allow nsplugin_t self:fifo_file rw_file_perms;
+allow nsplugin_t self:process { ptrace getsched setsched signal_perms };
+
+allow nsplugin_t self:sem create_sem_perms;
+allow nsplugin_t self:shm create_shm_perms;
+allow nsplugin_t self:msgq create_msgq_perms;
+allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
+
+tunable_policy(`allow_nsplugin_execmem',`
+ allow nsplugin_t self:process { execstack execmem };
+ allow nsplugin_config_t self:process { execstack execmem };
+')
+
+manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+exec_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_lnk_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+userdom_user_home_dir_filetrans(user, nsplugin_t, nsplugin_home_t, {file dir})
+unprivuser_dontaudit_write_home_content_files(nsplugin_t)
+
+corecmd_exec_bin(nsplugin_t)
+corecmd_exec_shell(nsplugin_t)
+
+corenet_all_recvfrom_unlabeled(nsplugin_t)
+corenet_all_recvfrom_netlabel(nsplugin_t)
+corenet_tcp_connect_flash_port(nsplugin_t)
+corenet_tcp_connect_pulseaudio_port(nsplugin_t)
+corenet_tcp_connect_http_port(nsplugin_t)
+corenet_tcp_sendrecv_generic_if(nsplugin_t)
+corenet_tcp_sendrecv_all_nodes(nsplugin_t)
+
+domain_dontaudit_read_all_domains_state(nsplugin_t)
+
+dev_read_rand(nsplugin_t)
+dev_read_sound(nsplugin_t)
+dev_write_sound(nsplugin_t)
+dev_read_video_dev(nsplugin_t)
+dev_write_video_dev(nsplugin_t)
+dev_getattr_dri_dev(nsplugin_t)
+dev_rwx_zero(nsplugin_t)
+
+kernel_read_kernel_sysctls(nsplugin_t)
+kernel_read_system_state(nsplugin_t)
+
+files_read_usr_files(nsplugin_t)
+files_read_etc_files(nsplugin_t)
+files_read_config_files(nsplugin_t)
+
+fs_list_inotifyfs(nsplugin_t)
+fs_manage_tmpfs_files(nsplugin_t)
+fs_getattr_tmpfs(nsplugin_t)
+fs_getattr_xattr_fs(nsplugin_t)
+
+term_dontaudit_getattr_all_user_ptys(nsplugin_t)
+term_dontaudit_getattr_all_user_ttys(nsplugin_t)
+
+auth_use_nsswitch(nsplugin_t)
+
+libs_use_ld_so(nsplugin_t)
+libs_use_shared_libs(nsplugin_t)
+libs_exec_ld_so(nsplugin_t)
+
+miscfiles_read_localization(nsplugin_t)
+miscfiles_read_fonts(nsplugin_t)
+
+unprivuser_manage_tmp_dirs(nsplugin_t)
+unprivuser_manage_tmp_files(nsplugin_t)
+unprivuser_manage_tmp_sockets(nsplugin_t)
+userdom_tmp_filetrans_user_tmp(user, nsplugin_t, { file dir sock_file })
+unprivuser_read_tmpfs_files(nsplugin_t)
+unprivuser_rw_semaphores(nsplugin_t)
+unprivuser_delete_tmpfs_files(nsplugin_t)
+
+unprivuser_read_home_content_symlinks(nsplugin_t)
+unprivuser_read_home_content_files(nsplugin_t)
+unprivuser_read_tmp_files(nsplugin_t)
+userdom_write_user_tmp_sockets(user, nsplugin_t)
+unprivuser_dontaudit_append_home_content_files(nsplugin_t)
+userdom_dontaudit_unlink_unpriv_home_content_files(nsplugin_t)
+userdom_dontaudit_manage_user_tmp_files(user, nsplugin_t)
+
+optional_policy(`
+ alsa_read_rw_config(nsplugin_t)
+')
+
+optional_policy(`
+ gnome_exec_gconf(nsplugin_t)
+ gnome_manage_user_gnome_config(user, nsplugin_t)
+ allow nsplugin_t gnome_home_t:sock_file write;
+')
+
+optional_policy(`
+ mozilla_read_user_home_files(user, nsplugin_t)
+ mozilla_write_user_home_files(user, nsplugin_t)
+')
+
+optional_policy(`
+ mplayer_exec(nsplugin_t)
+ mplayer_read_user_home_files(user, nsplugin_t)
+')
+
+optional_policy(`
+ unconfined_execmem_signull(nsplugin_t)
+ unconfined_delete_tmpfs_files(nsplugin_t)
+')
+
+optional_policy(`
+ xserver_stream_connect_xdm_xserver(nsplugin_t)
+ xserver_xdm_rw_shm(nsplugin_t)
+ xserver_read_xdm_tmp_files(nsplugin_t)
+ xserver_read_xdm_pid(nsplugin_t)
+ xserver_read_user_xauth(user, nsplugin_t)
+ xserver_read_user_iceauth(user, nsplugin_t)
+ xserver_use_user_fonts(user, nsplugin_t)
+ xserver_manage_home_fonts(nsplugin_t)
+ xserver_dontaudit_rw_xdm_home_files(nsplugin_t)
+')
+
+########################################
+#
+# nsplugin_config local policy
+#
+
+allow nsplugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
+allow nsplugin_config_t self:process { setsched sigkill getsched execmem };
+#execing pulseaudio
+dontaudit nsplugin_t self:process { getcap setcap };
+
+allow nsplugin_config_t self:fifo_file rw_file_perms;
+allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
+
+fs_list_inotifyfs(nsplugin_config_t)
+
+can_exec(nsplugin_config_t, nsplugin_rw_t)
+manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+manage_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+manage_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+
+manage_dirs_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
+manage_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
+manage_lnk_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
+
+corecmd_exec_bin(nsplugin_config_t)
+corecmd_exec_shell(nsplugin_config_t)
+
+kernel_read_system_state(nsplugin_config_t)
+
+files_read_etc_files(nsplugin_config_t)
+files_read_usr_files(nsplugin_config_t)
+files_dontaudit_search_home(nsplugin_config_t)
+files_list_tmp(nsplugin_config_t)
+
+auth_use_nsswitch(nsplugin_config_t)
+
+libs_use_ld_so(nsplugin_config_t)
+libs_use_shared_libs(nsplugin_config_t)
+
+miscfiles_read_localization(nsplugin_config_t)
+miscfiles_read_fonts(nsplugin_config_t)
+
+userdom_search_all_users_home_content(nsplugin_config_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(nsplugin_t)
+ fs_manage_nfs_files(nsplugin_t)
+ fs_manage_nfs_dirs(nsplugin_config_t)
+ fs_manage_nfs_files(nsplugin_config_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(nsplugin_t)
+ fs_manage_cifs_files(nsplugin_t)
+ fs_manage_cifs_dirs(nsplugin_config_t)
+ fs_manage_cifs_files(nsplugin_config_t)
+')
+
+domtrans_pattern(nsplugin_config_t, nsplugin_exec_t, nsplugin_t)
+
+optional_policy(`
+ xserver_read_home_fonts(nsplugin_config_t)
+')
+
+optional_policy(`
+ mozilla_read_user_home_files(user, nsplugin_config_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.5.8/policy/modules/apps/openoffice.fc
--- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.8/policy/modules/apps/openoffice.fc 2008-09-17 08:49:08.000000000 -0400
@ -8292,7 +8410,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.5.8/policy/modules/kernel/storage.fc
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2008-08-07 11:15:01.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/kernel/storage.fc 2008-09-22 12:22:40.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/kernel/storage.fc 2008-09-22 15:56:42.000000000 -0400
@@ -27,6 +27,7 @@
/dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/megadev.* -c gen_context(system_u:object_r:removable_device_t,s0)
@ -8301,14 +8419,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
@@ -65,6 +66,7 @@
/dev/md/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/mapper/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/raw/raw[0-9]+ -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.fc serefpolicy-3.5.8/policy/modules/roles/guest.fc
--- nsaserefpolicy/policy/modules/roles/guest.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.8/policy/modules/roles/guest.fc 2008-09-17 08:49:08.000000000 -0400
@ -13976,7 +14086,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.5.8/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2008-09-03 07:59:15.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/services/cups.te 2008-09-17 08:49:08.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/services/cups.te 2008-09-22 14:18:53.000000000 -0400
@@ -48,6 +48,10 @@
type hplip_t;
type hplip_exec_t;
@ -14058,7 +14168,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow cupsd_t hplip_var_run_t:file { read getattr };
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
@@ -149,44 +174,48 @@
@@ -149,44 +174,49 @@
corenet_tcp_bind_reserved_port(cupsd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
@ -14072,6 +14182,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_read_urand(cupsd_t)
dev_read_sysfs(cupsd_t)
-dev_read_usbfs(cupsd_t)
+dev_rw_input_dev(cupsd_t) #447878
+dev_rw_generic_usb_dev(cupsd_t)
+dev_rw_usbfs(cupsd_t)
dev_getattr_printer_dev(cupsd_t)
@ -14112,7 +14223,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_list_world_readable(cupsd_t)
files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
@@ -195,15 +224,16 @@
@@ -195,15 +225,16 @@
files_read_var_symlinks(cupsd_t)
# for /etc/printcap
files_dontaudit_write_etc_files(cupsd_t)
@ -14133,7 +14244,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_use_nsswitch(cupsd_t)
libs_use_ld_so(cupsd_t)
@@ -219,17 +249,22 @@
@@ -219,17 +250,22 @@
miscfiles_read_fonts(cupsd_t)
seutil_read_config(cupsd_t)
@ -14158,7 +14269,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
@@ -246,8 +281,16 @@
@@ -246,8 +282,16 @@
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
@ -14175,7 +14286,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
@@ -263,6 +306,10 @@
@@ -263,6 +307,10 @@
')
optional_policy(`
@ -14186,7 +14297,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# cups execs smbtool which reads samba_etc_t files
samba_read_config(cupsd_t)
samba_rw_var_files(cupsd_t)
@@ -281,7 +328,7 @@
@@ -281,7 +329,7 @@
# Cups configuration daemon local policy
#
@ -14195,7 +14306,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dontaudit cupsd_config_t self:capability sys_tty_config;
allow cupsd_config_t self:process signal_perms;
allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
@@ -326,6 +373,7 @@
@@ -326,6 +374,7 @@
dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
dev_read_rand(cupsd_config_t)
@ -14203,7 +14314,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_getattr_all_fs(cupsd_config_t)
fs_search_auto_mountpoints(cupsd_config_t)
@@ -343,7 +391,7 @@
@@ -343,7 +392,7 @@
files_read_var_symlinks(cupsd_config_t)
# Alternatives asks for this
@ -14212,7 +14323,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_use_nsswitch(cupsd_config_t)
@@ -353,6 +401,7 @@
@@ -353,6 +402,7 @@
logging_send_syslog_msg(cupsd_config_t)
miscfiles_read_localization(cupsd_config_t)
@ -14220,7 +14331,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_dontaudit_search_config(cupsd_config_t)
@@ -365,14 +414,16 @@
@@ -365,14 +415,16 @@
sysadm_dontaudit_search_home_dirs(cupsd_config_t)
ifdef(`distro_redhat',`
@ -14239,7 +14350,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
@@ -388,6 +439,7 @@
@@ -388,6 +440,7 @@
optional_policy(`
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
@ -14247,7 +14358,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
@@ -500,7 +552,7 @@
@@ -500,7 +553,7 @@
allow hplip_t self:udp_socket create_socket_perms;
allow hplip_t self:rawip_socket create_socket_perms;
@ -14256,7 +14367,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
cups_stream_connect(hplip_t)
@@ -509,6 +561,8 @@
@@ -509,6 +562,8 @@
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
files_search_etc(hplip_t)
@ -14265,7 +14376,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
@@ -538,7 +592,8 @@
@@ -538,7 +593,8 @@
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
@ -14275,7 +14386,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_getattr_all_fs(hplip_t)
fs_search_auto_mountpoints(hplip_t)
@@ -564,12 +619,14 @@
@@ -564,12 +620,14 @@
userdom_dontaudit_use_unpriv_user_fds(hplip_t)
userdom_dontaudit_search_all_users_home_content(hplip_t)
@ -14291,7 +14402,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
@@ -651,3 +708,45 @@
@@ -651,3 +709,45 @@
optional_policy(`
udev_read_db(ptal_t)
')

View File

@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.5.8
Release: 5%{?dist}
Release: 6%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -381,6 +381,9 @@ exit 0
%endif
%changelog
* Mon Sep 22 2008 Dan Walsh <dwalsh@redhat.com> 3.5.8-6
- Fix transition to nsplugin
* Mon Sep 22 2008 Dan Walsh <dwalsh@redhat.com> 3.5.8-5
- Add file context for /dev/mspblk.*