- Update to upstream
This commit is contained in:
Daniel J Walsh
parent
06da2697cc
commit
ddf4ec413f
|
|
@ -1,4 +1,4 @@
|
||||||
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
|
d# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
|
||||||
#
|
#
|
||||||
allow_execmem = false
|
allow_execmem = false
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -815,6 +815,14 @@ nscd = base
|
||||||
#
|
#
|
||||||
ntp = base
|
ntp = base
|
||||||
|
|
||||||
|
# Layer: services
|
||||||
|
# Module: nx
|
||||||
|
#
|
||||||
|
# NX Remote Desktop
|
||||||
|
#
|
||||||
|
nx = module
|
||||||
|
|
||||||
|
|
||||||
# Layer: services
|
# Layer: services
|
||||||
# Module: oddjob
|
# Module: oddjob
|
||||||
#
|
#
|
||||||
|
|
|
||||||
|
|
@ -532,6 +532,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.i
|
||||||
+
|
+
|
||||||
+ allow $1 brctl_exec_t:file getattr;
|
+ allow $1 brctl_exec_t:file getattr;
|
||||||
+')
|
+')
|
||||||
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.te serefpolicy-3.1.0/policy/modules/admin/brctl.te
|
||||||
|
--- nsaserefpolicy/policy/modules/admin/brctl.te 2007-10-23 07:37:52.000000000 -0400
|
||||||
|
+++ serefpolicy-3.1.0/policy/modules/admin/brctl.te 2007-11-12 18:12:28.000000000 -0500
|
||||||
|
@@ -40,4 +40,5 @@
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
xen_append_log(brctl_t)
|
||||||
|
+ xen_dontaudit_rw_unix_stream_sockets(brctl_t)
|
||||||
|
')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.1.0/policy/modules/admin/consoletype.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.1.0/policy/modules/admin/consoletype.te
|
||||||
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2007-10-12 08:56:09.000000000 -0400
|
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2007-10-12 08:56:09.000000000 -0400
|
||||||
+++ serefpolicy-3.1.0/policy/modules/admin/consoletype.te 2007-11-06 09:28:35.000000000 -0500
|
+++ serefpolicy-3.1.0/policy/modules/admin/consoletype.te 2007-11-06 09:28:35.000000000 -0500
|
||||||
|
|
@ -3163,7 +3172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
|
||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.1.0/policy/modules/kernel/files.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.1.0/policy/modules/kernel/files.if
|
||||||
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-29 18:02:31.000000000 -0400
|
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-29 18:02:31.000000000 -0400
|
||||||
+++ serefpolicy-3.1.0/policy/modules/kernel/files.if 2007-11-09 14:39:44.000000000 -0500
|
+++ serefpolicy-3.1.0/policy/modules/kernel/files.if 2007-11-12 18:07:03.000000000 -0500
|
||||||
@@ -3054,6 +3054,24 @@
|
@@ -3054,6 +3054,24 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|
@ -3189,7 +3198,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
|
||||||
## Search the tmp directory (/tmp).
|
## Search the tmp directory (/tmp).
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -4756,3 +4774,54 @@
|
@@ -4717,7 +4735,6 @@
|
||||||
|
files_search_home($1)
|
||||||
|
corecmd_exec_bin($1)
|
||||||
|
seutil_domtrans_setfiles($1)
|
||||||
|
- mount_domtrans($1)
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
|
@@ -4756,3 +4773,54 @@
|
||||||
|
|
||||||
allow $1 { file_type -security_file_type }:dir manage_dir_perms;
|
allow $1 { file_type -security_file_type }:dir manage_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
@ -10565,7 +10582,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.1.0/policy/modules/services/xserver.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.1.0/policy/modules/services/xserver.te
|
||||||
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-10-15 16:11:05.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-10-15 16:11:05.000000000 -0400
|
||||||
+++ serefpolicy-3.1.0/policy/modules/services/xserver.te 2007-11-12 11:58:29.000000000 -0500
|
+++ serefpolicy-3.1.0/policy/modules/services/xserver.te 2007-11-12 18:26:06.000000000 -0500
|
||||||
@@ -16,6 +16,13 @@
|
@@ -16,6 +16,13 @@
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
|
|
@ -10584,11 +10601,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||||
type xdm_var_run_t;
|
type xdm_var_run_t;
|
||||||
files_pid_file(xdm_var_run_t)
|
files_pid_file(xdm_var_run_t)
|
||||||
|
|
||||||
|
+type xserver_var_lib_t;
|
||||||
|
+files_type(xserver_var_lib_t)
|
||||||
|
+
|
||||||
+type xserver_var_run_t;
|
+type xserver_var_run_t;
|
||||||
+files_pid_file(xserver_var_run_t)
|
+files_pid_file(xserver_var_run_t)
|
||||||
+
|
|
||||||
+type xdm_var_run_t;
|
|
||||||
+files_pid_file(xdm_var_run_t)
|
|
||||||
+
|
+
|
||||||
type xdm_tmp_t;
|
type xdm_tmp_t;
|
||||||
files_tmp_file(xdm_tmp_t)
|
files_tmp_file(xdm_tmp_t)
|
||||||
|
|
@ -10753,11 +10770,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||||
+ # xserver signals unconfined user on startx
|
+ # xserver signals unconfined user on startx
|
||||||
+ unconfined_signal(xdm_xserver_t)
|
+ unconfined_signal(xdm_xserver_t)
|
||||||
+ unconfined_getpgid(xdm_xserver_t)
|
+ unconfined_getpgid(xdm_xserver_t)
|
||||||
+')
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+tunable_policy(`allow_xserver_execmem', `
|
|
||||||
+ allow xdm_xserver_t self:process { execheap execmem execstack };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
-ifdef(`TODO',`
|
-ifdef(`TODO',`
|
||||||
|
|
@ -10781,6 +10793,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||||
-allow xdm_t polymember:lnk_file { create unlink };
|
-allow xdm_t polymember:lnk_file { create unlink };
|
||||||
-# xdm needs access for copying .Xauthority into new home
|
-# xdm needs access for copying .Xauthority into new home
|
||||||
-allow xdm_t polymember:file { create getattr write };
|
-allow xdm_t polymember:file { create getattr write };
|
||||||
|
+
|
||||||
|
+tunable_policy(`allow_xserver_execmem', `
|
||||||
|
+ allow xdm_xserver_t self:process { execheap execmem execstack };
|
||||||
|
+')
|
||||||
|
+
|
||||||
+ifndef(`distro_redhat',`
|
+ifndef(`distro_redhat',`
|
||||||
+ allow xdm_xserver_t self:process { execheap execmem };
|
+ allow xdm_xserver_t self:process { execheap execmem };
|
||||||
+')
|
+')
|
||||||
|
|
|
||||||
|
|
@ -16,12 +16,12 @@
|
||||||
%define CHECKPOLICYVER 2.0.3-1
|
%define CHECKPOLICYVER 2.0.3-1
|
||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.1.1
|
Version: 3.1.2
|
||||||
Release: 1%{?dist}
|
Release: 1%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
patch: policy-20071023.patch
|
patch: policy-20071114.patch
|
||||||
Source1: modules-targeted.conf
|
Source1: modules-targeted.conf
|
||||||
Source2: booleans-targeted.conf
|
Source2: booleans-targeted.conf
|
||||||
Source3: Makefile.devel
|
Source3: Makefile.devel
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue