- Update from upstream

2007-08-03 20:38:28 +00:00 · 2007-08-03 20:38:28 +00:00 · d8c8b2b904
parent f9778219aa
commit d8c8b2b904
2 changed files with 37 additions and 29 deletions
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@ -7279,7 +7279,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.0.5/policy/modules/services/setroubleshoot.te
 --- nsaserefpolicy/policy/modules/services/setroubleshoot.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/setroubleshoot.te	2007-08-03 14:06:26.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/services/setroubleshoot.te	2007-08-03 16:01:19.000000000 -0400
@@ -33,7 +33,6 @@
 allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
 allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
@ -7297,7 +7297,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
 kernel_read_kernel_sysctls(setroubleshootd_t)
 kernel_read_system_state(setroubleshootd_t)
 kernel_read_network_state(setroubleshootd_t)
-@@ -76,6 +77,9 @@
+@@ -68,6 +69,7 @@
+ corenet_sendrecv_smtp_client_packets(setroubleshootd_t)
+ 
+ dev_read_urand(setroubleshootd_t)
+dev_read_sysfs(setroubleshootd_t)
+ 
+ domain_dontaudit_search_all_domains_state(setroubleshootd_t)
+ 
+@@ -76,6 +78,9 @@
 files_getattr_all_dirs(setroubleshootd_t)
 files_getattr_all_files(setroubleshootd_t)
 
@ -7307,7 +7315,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
 selinux_get_enforce_mode(setroubleshootd_t)
 selinux_validate_context(setroubleshootd_t)
 
-@@ -108,6 +112,3 @@
+@@ -108,6 +113,3 @@
         rpm_use_script_fds(setroubleshootd_t)
 ')
 
@ -10782,7 +10790,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.5/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/system/unconfined.te	2007-08-03 14:06:26.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/system/unconfined.te	2007-08-03 16:28:55.000000000 -0400
@@ -5,28 +5,36 @@
 #
 # Declarations
@ -10835,7 +10843,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 
 libs_run_ldconfig(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
 
-@@ -42,23 +51,22 @@
+@@ -42,37 +51,30 @@
 logging_run_auditctl(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
 
 mount_run_unconfined(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@ -10853,35 +10861,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 
 optional_policy(`
 -	ada_domtrans(unconfined_t)
+-')
+-
+-optional_policy(`
+-	apache_run_helper(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+-	apache_per_role_template(unconfined,unconfined_t,unconfined_r)
+-	# this is disallowed usage:
+-	unconfined_domain(httpd_unconfined_script_t)
 +	ada_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
 ')
 
 optional_policy(`
- 	apache_run_helper(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
-	apache_per_role_template(unconfined,unconfined_t,unconfined_r)
-	# this is disallowed usage:
-	unconfined_domain(httpd_unconfined_script_t)
- ')
- 
- optional_policy(`
-@@ -66,16 +74,6 @@
+-	bind_run_ndc(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+	bootloader_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
 ')
 
 optional_policy(`
 -	bootloader_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
-')
-
-optional_policy(`
+	apache_run_helper(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+ ')
+ 
+ optional_policy(`
 -	cron_per_role_template(unconfined,unconfined_t,unconfined_r)
 -	# this is disallowed usage:
 -	unconfined_domain(unconfined_crond_t)
-')
-
-optional_policy(`
- 	init_dbus_chat_script(unconfined_t)
+	bind_run_ndc(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+ ')
 
- 	dbus_stub(unconfined_t)
-@@ -118,11 +116,7 @@
+ optional_policy(`
+@@ -118,11 +120,7 @@
 ')
 
 optional_policy(`
@ -10894,7 +10902,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 
 optional_policy(`
-@@ -134,11 +128,7 @@
+@@ -134,11 +132,7 @@
 ')
 
 optional_policy(`
@ -10907,7 +10915,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 
 optional_policy(`
-@@ -155,22 +145,12 @@
+@@ -155,22 +149,12 @@
 
 optional_policy(`
 	postfix_run_map(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@ -10932,7 +10940,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 
 optional_policy(`
-@@ -180,10 +160,6 @@
+@@ -180,10 +164,6 @@
 ')
 
 optional_policy(`
@ -10943,7 +10951,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 	sysnet_run_dhcpc(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
 	sysnet_dbus_chat_dhcpc(unconfined_t)
 ')
-@@ -205,11 +181,12 @@
+@@ -205,11 +185,12 @@
 ')
 
 optional_policy(`
@ -10957,7 +10965,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 
 ########################################
-@@ -227,6 +204,17 @@
+@@ -227,6 +208,17 @@
 	unconfined_dbus_chat(unconfined_execmem_t)
 
 	optional_policy(`
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -143,7 +143,7 @@ install -m0644 ${RPM_SOURCE_DIR}/setrans-%1.conf %{buildroot}%{_sysconfdir}/seli
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/root \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/guest_u \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \
-%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u 
+%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u

 %define saveFileContext() \
 if [ -s /etc/selinux/config ]; then \
@ -303,8 +303,8 @@ semanage user -a -P xguest -R xguest_r xguest_u
 exit 0

 %files targeted
+%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/xguest_u
 %fileList targeted
-%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u
 %endif

 %if %{BUILD_OLPC}