- Update to upstream

2008-10-15 01:37:04 +00:00 · 2008-10-15 01:37:04 +00:00 · e8fc9eec3a
commit e8fc9eec3a
parent 4125702a20
1 changed files with 49 additions and 38 deletions
--- a/policy-20080710.patch
+++ b/policy-20080710.patch
@ -21454,7 +21454,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
         rpm_use_script_fds(setroubleshootd_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.5.12/policy/modules/services/smartmon.te
 --- nsaserefpolicy/policy/modules/services/smartmon.te	2008-10-14 11:58:09.000000000 -0400
-+++ serefpolicy-3.5.12/policy/modules/services/smartmon.te	2008-10-14 15:00:15.000000000 -0400
+++ serefpolicy-3.5.12/policy/modules/services/smartmon.te	2008-10-14 21:15:21.000000000 -0400
@@ -19,6 +19,10 @@
 type fsdaemon_tmp_t;
 files_tmp_file(fsdaemon_tmp_t)
@ -21479,7 +21479,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 corenet_udp_sendrecv_all_nodes(fsdaemon_t)
 corenet_udp_sendrecv_all_ports(fsdaemon_t)
-+dev_del_generic_dirs(fsdaemon_t)
+dev_delete_generic_dirs(fsdaemon_t)
 dev_read_sysfs(fsdaemon_t)
 dev_read_urand(fsdaemon_t)
@ -22982,7 +22982,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.5.12/policy/modules/services/virt.if
 --- nsaserefpolicy/policy/modules/services/virt.if	2008-10-14 11:58:09.000000000 -0400
-+++ serefpolicy-3.5.12/policy/modules/services/virt.if	2008-10-14 15:00:15.000000000 -0400
+++ serefpolicy-3.5.12/policy/modules/services/virt.if	2008-10-14 21:22:03.000000000 -0400
@@ -78,6 +78,24 @@
 ########################################
@ -23072,19 +23072,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	virt_manage_lib_files($1)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.5.12/policy/modules/services/virt.te
 --- nsaserefpolicy/policy/modules/services/virt.te	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.12/policy/modules/services/virt.te	2008-10-14 15:00:15.000000000 -0400
+++ serefpolicy-3.5.12/policy/modules/services/virt.te	2008-10-14 21:22:40.000000000 -0400
-@@ -28,9 +28,7 @@
+@@ -5,6 +5,7 @@
 #
 # Declarations
 #
 +attribute virt_image_type;
 ## <desc>
 ## <p>
@@ -27,10 +28,8 @@
 files_type(virt_etc_rw_t)
 # virt Image files
- type virt_image_t; # customizable
+-type virt_image_t; # customizable
 -files_type(virt_image_t)
 -# virt_image_t can be assigned to blk devices
 -dev_node(virt_image_t)
 +type virt_image_t, virt_image_type; # customizable
 +virt_image(virt_image_t)
 type virt_log_t;
 logging_log_file(virt_log_t)
-@@ -45,6 +43,9 @@
+@@ -45,6 +44,9 @@
 type virtd_exec_t;
 init_daemon_domain(virtd_t, virtd_exec_t)
@ -23094,7 +23104,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # virtd local policy
-@@ -49,9 +50,8 @@
+@@ -49,9 +51,8 @@
 #
 # virtd local policy
 #
@ -23105,7 +23115,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow virtd_t self:fifo_file rw_file_perms;
 allow virtd_t self:unix_stream_socket create_stream_socket_perms;
 allow virtd_t self:tcp_socket create_stream_socket_perms;
-@@ -64,7 +64,7 @@
+@@ -64,7 +65,7 @@
 manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
 filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@ -23114,7 +23124,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
 manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -82,6 +82,8 @@
+@@ -82,6 +83,8 @@
 kernel_read_system_state(virtd_t)
 kernel_read_network_state(virtd_t)
 kernel_rw_net_sysctls(virtd_t)
@ -23123,7 +23133,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 kernel_load_module(virtd_t)
 corecmd_exec_bin(virtd_t)
-@@ -93,7 +95,7 @@
+@@ -93,7 +96,7 @@
 corenet_tcp_sendrecv_all_nodes(virtd_t)
 corenet_tcp_sendrecv_all_ports(virtd_t)
 corenet_tcp_bind_all_nodes(virtd_t)
@ -23132,7 +23142,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 corenet_tcp_bind_vnc_port(virtd_t)
 corenet_tcp_connect_vnc_port(virtd_t)
 corenet_tcp_connect_soundd_port(virtd_t)
-@@ -107,8 +109,10 @@
+@@ -107,8 +110,10 @@
 files_read_usr_files(virtd_t)
 files_read_etc_files(virtd_t)
@ -23143,7 +23153,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 fs_list_auto_mountpoints(virtd_t)
-@@ -162,26 +166,27 @@
+@@ -162,26 +167,27 @@
 	')
 ')
@ -23180,7 +23190,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -189,9 +194,10 @@
+@@ -189,9 +195,10 @@
 ')
 optional_policy(`
@ -23294,7 +23304,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.12/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2008-10-08 19:00:27.000000000 -0400
-+++ serefpolicy-3.5.12/policy/modules/services/xserver.if	2008-10-14 15:02:15.000000000 -0400
+++ serefpolicy-3.5.12/policy/modules/services/xserver.if	2008-10-14 21:00:40.000000000 -0400
@@ -16,6 +16,7 @@
 	gen_require(`
 		type xkb_var_lib_t, xserver_exec_t, xserver_log_t;
@ -23618,7 +23628,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	# for when /tmp/.X11-unix is created by the system
 	allow $2 xdm_t:fd use;
-@@ -649,13 +571,212 @@
+@@ -649,13 +571,213 @@
 	xserver_read_xdm_tmp_files($2)
@ -23780,6 +23790,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +		type clipboard_xselection_t;
 +		type xproperty_t, focus_xevent_t, info_xproperty_t, manage_xevent_t;
 +		type manage_xevent_t, output_xext_t, property_xevent_t;
 +		type debug_xext_t, screensaver_xext_t;
 +		type shmem_xext_t, xselection_t;
 +		attribute xevent_type, xextension_type;
 +	')
@ -23835,7 +23846,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 #######################################
 ## <summary>
 ##	Interface to provide X object permissions on a given X server to
-@@ -682,7 +803,7 @@
+@@ -682,7 +804,7 @@
 #
 template(`xserver_common_x_domain_template',`
 	gen_require(`
@ -23844,7 +23855,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 		type xproperty_t, info_xproperty_t, clipboard_xproperty_t;
 		type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t;
 		type xevent_t, client_xevent_t;
-@@ -691,7 +812,6 @@
+@@ -691,7 +813,6 @@
 		attribute x_server_domain, x_domain;
 		attribute xproperty_type;
 		attribute xevent_type, xextension_type;
@ -23852,7 +23863,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 		class x_drawable all_x_drawable_perms;
 		class x_screen all_x_screen_perms;
-@@ -708,6 +828,7 @@
+@@ -708,6 +829,7 @@
 		class x_resource all_x_resource_perms;
 		class x_event all_x_event_perms;
 		class x_synthetic_event all_x_synthetic_event_perms;
@ -23860,7 +23871,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 	##############################
-@@ -715,20 +836,22 @@
+@@ -715,20 +837,22 @@
 	# Declarations
 	#
@ -23886,7 +23897,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	##############################
 	#
 	# Local Policy
-@@ -746,7 +869,7 @@
+@@ -746,7 +870,7 @@
 	allow $3 x_server_domain:x_server getattr;
 	# everyone can do override-redirect windows.
 	# this could be used to spoof labels
@ -23895,7 +23906,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	# everyone can receive management events on the root window
 	# allows to know when new windows appear, among other things
 	allow $3 manage_xevent_t:x_event receive;
-@@ -755,36 +878,30 @@
+@@ -755,36 +879,30 @@
 	# can read server-owned resources
 	allow $3 x_server_domain:x_resource read;
 	# can mess with own clients
@ -23942,7 +23953,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	# X Input
 	# can receive own events
-@@ -811,6 +928,12 @@
+@@ -811,6 +929,12 @@
 	allow $3 manage_xevent_t:x_synthetic_event send;
 	allow $3 client_xevent_t:x_synthetic_event send;
@ -23955,7 +23966,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	# X Selections
 	# can use the clipboard
 	allow $3 clipboard_xselection_t:x_selection { getattr setattr read };
-@@ -819,13 +942,15 @@
+@@ -819,13 +943,15 @@
 	# Other X Objects
 	# can create and use cursors
@ -23975,7 +23986,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	tunable_policy(`! xserver_object_manager',`
 		# should be xserver_unconfined($3),
-@@ -885,24 +1010,17 @@
+@@ -885,24 +1011,17 @@
 #
 template(`xserver_user_x_domain_template',`
 	gen_require(`
@ -24007,7 +24018,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	# Allow connections to X server.
 	files_search_tmp($3)
-@@ -917,16 +1035,12 @@
+@@ -917,16 +1036,12 @@
 	xserver_rw_session_template($1, $3, $4)
 	xserver_use_user_fonts($1, $3)
@ -24027,7 +24038,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -958,26 +1072,43 @@
+@@ -958,26 +1073,43 @@
 #
 template(`xserver_use_user_fonts',`
 	gen_require(`
@ -24078,7 +24089,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Transition to a user Xauthority domain.
 ## </summary>
 ## <desc>
-@@ -1003,10 +1134,77 @@
+@@ -1003,10 +1135,77 @@
 #
 template(`xserver_domtrans_user_xauth',`
 	gen_require(`
@ -24158,7 +24169,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -1036,10 +1234,10 @@
+@@ -1036,10 +1235,10 @@
 #
 template(`xserver_user_home_dir_filetrans_user_xauth',`
 	gen_require(`
@ -24171,7 +24182,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -1225,6 +1423,25 @@
+@@ -1225,6 +1424,25 @@
 ########################################
 ## <summary>
@ -24197,7 +24208,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Read xdm-writable configuration files.
 ## </summary>
 ## <param name="domain">
-@@ -1279,6 +1496,7 @@
+@@ -1279,6 +1497,7 @@
 	files_search_tmp($1)
 	allow $1 xdm_tmp_t:dir list_dir_perms;
 	create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
@ -24205,7 +24216,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -1297,7 +1515,7 @@
+@@ -1297,7 +1516,7 @@
 	')
 	files_search_pids($1)
@ -24214,7 +24225,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -1320,6 +1538,24 @@
+@@ -1320,6 +1539,24 @@
 ########################################
 ## <summary>
@ -24239,7 +24250,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Execute the X server in the XDM X server domain.
 ## </summary>
 ## <param name="domain">
-@@ -1330,15 +1566,47 @@
+@@ -1330,15 +1567,47 @@
 #
 interface(`xserver_domtrans_xdm_xserver',`
 	gen_require(`
@ -24288,7 +24299,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Make an X session script an entrypoint for the specified domain.
 ## </summary>
 ## <param name="domain">
-@@ -1488,7 +1756,7 @@
+@@ -1488,7 +1757,7 @@
 		type xdm_xserver_tmp_t;
 	')
@ -24297,7 +24308,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -1680,6 +1948,26 @@
+@@ -1680,6 +1949,26 @@
 ########################################
 ## <summary>
@ -24324,7 +24335,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	xdm xserver RW shared memory socket.
 ## </summary>
 ## <param name="domain">
-@@ -1698,6 +1986,24 @@
+@@ -1698,6 +1987,24 @@
 ########################################
 ## <summary>
@ -24349,7 +24360,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Interface to provide X object permissions on a given X server to
 ##	an X client domain.  Gives the domain complete control over the
 ##	display.
-@@ -1710,8 +2016,157 @@
+@@ -1710,8 +2017,157 @@
 #
 interface(`xserver_unconfined',`
 	gen_require(`