- Fix Upgrade path to install unconfineduser.pp when unocnfined package is
3.0.0 or less
This commit is contained in:
parent
b11dbbb323
commit
e080bbd4f6
@ -358,6 +358,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man
|
||||
.SH BOOLEANS
|
||||
.TP
|
||||
You must set the allow_ypbind boolean to allow your system to work properly in a NIS environment.
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_booleans serefpolicy-3.6.12/policy/global_booleans
|
||||
--- nsaserefpolicy/policy/global_booleans 2008-08-07 11:15:13.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/global_booleans 2009-04-28 09:51:52.000000000 -0400
|
||||
@@ -28,3 +28,11 @@
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_bool(secure_mode_policyload,false)
|
||||
+
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Allow unconfined domain to map low memory in the kernel
|
||||
+## </p>
|
||||
+## </desc>
|
||||
+gen_tunable(allow_unconfined_mmap_low, false)
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.6.12/policy/global_tunables
|
||||
--- nsaserefpolicy/policy/global_tunables 2008-11-11 16:13:50.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/global_tunables 2009-04-23 09:44:57.000000000 -0400
|
||||
@ -7402,8 +7417,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te
|
||||
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te 2009-04-24 00:00:31.000000000 -0400
|
||||
@@ -0,0 +1,400 @@
|
||||
+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te 2009-04-27 15:35:55.000000000 -0400
|
||||
@@ -0,0 +1,393 @@
|
||||
+policy_module(unconfineduser, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -7428,13 +7443,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Allow unconfined domain to map low memory in the kernel
|
||||
+## </p>
|
||||
+## </desc>
|
||||
+gen_tunable(allow_unconfined_mmap_low, false)
|
||||
+
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Transition to confined qemu domains from unconfined user
|
||||
+## </p>
|
||||
+## </desc>
|
||||
@ -29430,8 +29438,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
-')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.12/policy/modules/system/unconfined.te
|
||||
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-11-11 16:13:48.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/unconfined.te 2009-04-23 09:44:57.000000000 -0400
|
||||
@@ -5,227 +5,6 @@
|
||||
+++ serefpolicy-3.6.12/policy/modules/system/unconfined.te 2009-04-28 09:51:35.000000000 -0400
|
||||
@@ -1,231 +1,9 @@
|
||||
|
||||
-policy_module(unconfined, 3.0.0)
|
||||
+policy_module(unconfined, 3.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
@ -29444,7 +29457,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
-userdom_manage_home_role(unconfined_r, unconfined_t)
|
||||
-userdom_manage_tmp_role(unconfined_r, unconfined_t)
|
||||
-userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
|
||||
|
||||
-
|
||||
-type unconfined_exec_t;
|
||||
-init_system_domain(unconfined_t, unconfined_exec_t)
|
||||
-
|
||||
|
@ -20,7 +20,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.6.12
|
||||
Release: 21%{?dist}
|
||||
Release: 22%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -160,7 +160,7 @@ bzip2 %{buildroot}/%{_usr}/share/selinux/%1/*.pp
|
||||
if [ -s /etc/selinux/config ]; then \
|
||||
. %{_sysconfdir}/selinux/config; \
|
||||
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
|
||||
if [ "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT} ]; then \
|
||||
if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \
|
||||
cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \
|
||||
fi \
|
||||
fi
|
||||
@ -179,7 +179,7 @@ semodule -b base.pp.bz2 -i %{expand:%%moduleList %1} %2 -s %1; \
|
||||
. %{_sysconfdir}/selinux/config; \
|
||||
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
|
||||
selinuxenabled; \
|
||||
if [ $? == 0 -a "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT}.pre ]; then \
|
||||
if [ $? = 0 -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
|
||||
fixfiles -C ${FILE_CONTEXT}.pre restore; \
|
||||
restorecon -R /var/log /var/run 2> /dev/null; \
|
||||
rm -f ${FILE_CONTEXT}.pre; \
|
||||
@ -311,23 +311,57 @@ SELinux Reference policy targeted base module.
|
||||
%saveFileContext targeted
|
||||
|
||||
%post targeted
|
||||
function get_unconfined() {
|
||||
# We only want to upgrade unconfined.pp and unconfineduser if they are
|
||||
# currently installed. If you have a version 3.0.0 or less of unconfined
|
||||
# installed, you will need to install both, since unconfineduser did not exist
|
||||
# prior to this.
|
||||
both="unconfined.pp.bz2 unconfineduser.pp.bz2"
|
||||
packages=""
|
||||
ctr=0
|
||||
while [ "$1" != "" ]; do
|
||||
if [ "$1" = "unconfineduser" ]; then
|
||||
packages="unconfineduser.pp.bz2 $packages"
|
||||
let "ctr+=1"
|
||||
fi
|
||||
if [ "$1" = "unconfined" ]; then
|
||||
packages="unconfined.pp.bz2 $packages"
|
||||
version=$2
|
||||
let "ctr+=1"
|
||||
fi
|
||||
shift;
|
||||
shift;
|
||||
done
|
||||
|
||||
if [ $ctr -lt 2 -a "$version" != "" ]; then
|
||||
f1=`echo $version | cut -d. -f 1`
|
||||
if [ $f1 -lt 3 ]; then
|
||||
packages=$both
|
||||
else
|
||||
if [ $f1 -eq 3 ]; then
|
||||
f2=`echo $version | cut -s -d. -f2`
|
||||
f3=`echo $version | cut -s -d. -f3`
|
||||
if [ \( -z "$f2" \) -o \( \( "$f2" -eq 0 \) -a \( -z "f3" -o "$f3" -eq 0 \) \) ]; then
|
||||
packages=$both
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
echo $packages
|
||||
}
|
||||
|
||||
if [ $1 -eq 1 ]; then
|
||||
packages="unconfined.pp.bz2 unconfineduser.pp.bz2"
|
||||
%loadpolicy targeted $packages
|
||||
restorecon -R /root /var/log /var/run 2> /dev/null
|
||||
else
|
||||
semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid 2>/dev/null
|
||||
|
||||
packages=""
|
||||
for i in `semodule -l | awk '{print $1 }' | grep -E "(^unconfined$|^unconfineduser$)"`; do
|
||||
packages="$packages $i.pp.bz2"
|
||||
done
|
||||
packages=`get_unconfined $(semodule -l)`
|
||||
%loadpolicy targeted $packages
|
||||
%relabel targeted
|
||||
fi
|
||||
exit 0
|
||||
|
||||
|
||||
%triggerpostun targeted -- selinux-policy-targeted < 3.2.5-9.fc9
|
||||
. /etc/selinux/config
|
||||
[ "${SELINUXTYPE}" != "targeted" ] && exit 0
|
||||
@ -341,7 +375,7 @@ fi
|
||||
seuser=`semanage login -l | grep __default__ | awk '{ print $2 }'`
|
||||
[ "$seuser" != "unconfined_u" ] && semanage login -m -s "unconfined_u" -r s0-s0:c0.c1023 __default__
|
||||
seuser=`semanage login -l | grep root | awk '{ print $2 }'`
|
||||
[ "$seuser" == "system_u" ] && semanage login -m -s "unconfined_u" -r s0-s0:c0.c1023 root
|
||||
[ "$seuser" = "system_u" ] && semanage login -m -s "unconfined_u" -r s0-s0:c0.c1023 root
|
||||
restorecon -R /root /etc/selinux/targeted 2> /dev/null
|
||||
semodule -r qmail 2> /dev/null
|
||||
exit 0
|
||||
@ -446,8 +480,11 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Apr 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-22
|
||||
- Fix Upgrade path to install unconfineduser.pp when unocnfined package is 3.0.0 or less
|
||||
|
||||
* Mon Apr 27 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-21
|
||||
- Allow confined users to manace virt_content_t, since this is home dir content
|
||||
- Allow confined users to manage virt_content_t, since this is home dir content
|
||||
- Allow all domains to read rpm_script_tmp_t which is what shell creates on redirection
|
||||
|
||||
* Mon Apr 27 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-20
|
||||
|
Loading…
Reference in New Issue
Block a user