- Update to upstream

This commit is contained in:
Daniel J Walsh 2008-10-15 01:37:04 +00:00
parent 4125702a20
commit e8fc9eec3a

View File

@ -21454,7 +21454,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
rpm_use_script_fds(setroubleshootd_t) rpm_use_script_fds(setroubleshootd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.5.12/policy/modules/services/smartmon.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.5.12/policy/modules/services/smartmon.te
--- nsaserefpolicy/policy/modules/services/smartmon.te 2008-10-14 11:58:09.000000000 -0400 --- nsaserefpolicy/policy/modules/services/smartmon.te 2008-10-14 11:58:09.000000000 -0400
+++ serefpolicy-3.5.12/policy/modules/services/smartmon.te 2008-10-14 15:00:15.000000000 -0400 +++ serefpolicy-3.5.12/policy/modules/services/smartmon.te 2008-10-14 21:15:21.000000000 -0400
@@ -19,6 +19,10 @@ @@ -19,6 +19,10 @@
type fsdaemon_tmp_t; type fsdaemon_tmp_t;
files_tmp_file(fsdaemon_tmp_t) files_tmp_file(fsdaemon_tmp_t)
@ -21479,7 +21479,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_udp_sendrecv_all_nodes(fsdaemon_t) corenet_udp_sendrecv_all_nodes(fsdaemon_t)
corenet_udp_sendrecv_all_ports(fsdaemon_t) corenet_udp_sendrecv_all_ports(fsdaemon_t)
+dev_del_generic_dirs(fsdaemon_t) +dev_delete_generic_dirs(fsdaemon_t)
dev_read_sysfs(fsdaemon_t) dev_read_sysfs(fsdaemon_t)
dev_read_urand(fsdaemon_t) dev_read_urand(fsdaemon_t)
@ -22982,7 +22982,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.5.12/policy/modules/services/virt.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.5.12/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2008-10-14 11:58:09.000000000 -0400 --- nsaserefpolicy/policy/modules/services/virt.if 2008-10-14 11:58:09.000000000 -0400
+++ serefpolicy-3.5.12/policy/modules/services/virt.if 2008-10-14 15:00:15.000000000 -0400 +++ serefpolicy-3.5.12/policy/modules/services/virt.if 2008-10-14 21:22:03.000000000 -0400
@@ -78,6 +78,24 @@ @@ -78,6 +78,24 @@
######################################## ########################################
@ -23072,19 +23072,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
virt_manage_lib_files($1) virt_manage_lib_files($1)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.5.12/policy/modules/services/virt.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.5.12/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2008-08-07 11:15:11.000000000 -0400 --- nsaserefpolicy/policy/modules/services/virt.te 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.12/policy/modules/services/virt.te 2008-10-14 15:00:15.000000000 -0400 +++ serefpolicy-3.5.12/policy/modules/services/virt.te 2008-10-14 21:22:40.000000000 -0400
@@ -28,9 +28,7 @@ @@ -5,6 +5,7 @@
#
# Declarations
#
+attribute virt_image_type;
## <desc>
## <p>
@@ -27,10 +28,8 @@
files_type(virt_etc_rw_t)
# virt Image files # virt Image files
type virt_image_t; # customizable -type virt_image_t; # customizable
-files_type(virt_image_t) -files_type(virt_image_t)
-# virt_image_t can be assigned to blk devices -# virt_image_t can be assigned to blk devices
-dev_node(virt_image_t) -dev_node(virt_image_t)
+type virt_image_t, virt_image_type; # customizable
+virt_image(virt_image_t) +virt_image(virt_image_t)
type virt_log_t; type virt_log_t;
logging_log_file(virt_log_t) logging_log_file(virt_log_t)
@@ -45,6 +43,9 @@ @@ -45,6 +44,9 @@
type virtd_exec_t; type virtd_exec_t;
init_daemon_domain(virtd_t, virtd_exec_t) init_daemon_domain(virtd_t, virtd_exec_t)
@ -23094,7 +23104,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
######################################## ########################################
# #
# virtd local policy # virtd local policy
@@ -49,9 +50,8 @@ @@ -49,9 +51,8 @@
# #
# virtd local policy # virtd local policy
# #
@ -23105,7 +23115,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow virtd_t self:fifo_file rw_file_perms; allow virtd_t self:fifo_file rw_file_perms;
allow virtd_t self:unix_stream_socket create_stream_socket_perms; allow virtd_t self:unix_stream_socket create_stream_socket_perms;
allow virtd_t self:tcp_socket create_stream_socket_perms; allow virtd_t self:tcp_socket create_stream_socket_perms;
@@ -64,7 +64,7 @@ @@ -64,7 +65,7 @@
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@ -23114,7 +23124,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
@@ -82,6 +82,8 @@ @@ -82,6 +83,8 @@
kernel_read_system_state(virtd_t) kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t) kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t) kernel_rw_net_sysctls(virtd_t)
@ -23123,7 +23133,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_load_module(virtd_t) kernel_load_module(virtd_t)
corecmd_exec_bin(virtd_t) corecmd_exec_bin(virtd_t)
@@ -93,7 +95,7 @@ @@ -93,7 +96,7 @@
corenet_tcp_sendrecv_all_nodes(virtd_t) corenet_tcp_sendrecv_all_nodes(virtd_t)
corenet_tcp_sendrecv_all_ports(virtd_t) corenet_tcp_sendrecv_all_ports(virtd_t)
corenet_tcp_bind_all_nodes(virtd_t) corenet_tcp_bind_all_nodes(virtd_t)
@ -23132,7 +23142,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_bind_vnc_port(virtd_t) corenet_tcp_bind_vnc_port(virtd_t)
corenet_tcp_connect_vnc_port(virtd_t) corenet_tcp_connect_vnc_port(virtd_t)
corenet_tcp_connect_soundd_port(virtd_t) corenet_tcp_connect_soundd_port(virtd_t)
@@ -107,8 +109,10 @@ @@ -107,8 +110,10 @@
files_read_usr_files(virtd_t) files_read_usr_files(virtd_t)
files_read_etc_files(virtd_t) files_read_etc_files(virtd_t)
@ -23143,7 +23153,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_list_auto_mountpoints(virtd_t) fs_list_auto_mountpoints(virtd_t)
@@ -162,26 +166,27 @@ @@ -162,26 +167,27 @@
') ')
') ')
@ -23180,7 +23190,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
optional_policy(` optional_policy(`
@@ -189,9 +194,10 @@ @@ -189,9 +195,10 @@
') ')
optional_policy(` optional_policy(`
@ -23294,7 +23304,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.12/policy/modules/services/xserver.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.12/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2008-10-08 19:00:27.000000000 -0400 --- nsaserefpolicy/policy/modules/services/xserver.if 2008-10-08 19:00:27.000000000 -0400
+++ serefpolicy-3.5.12/policy/modules/services/xserver.if 2008-10-14 15:02:15.000000000 -0400 +++ serefpolicy-3.5.12/policy/modules/services/xserver.if 2008-10-14 21:00:40.000000000 -0400
@@ -16,6 +16,7 @@ @@ -16,6 +16,7 @@
gen_require(` gen_require(`
type xkb_var_lib_t, xserver_exec_t, xserver_log_t; type xkb_var_lib_t, xserver_exec_t, xserver_log_t;
@ -23618,7 +23628,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# for when /tmp/.X11-unix is created by the system # for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use; allow $2 xdm_t:fd use;
@@ -649,13 +571,212 @@ @@ -649,13 +571,213 @@
xserver_read_xdm_tmp_files($2) xserver_read_xdm_tmp_files($2)
@ -23780,6 +23790,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ type clipboard_xselection_t; + type clipboard_xselection_t;
+ type xproperty_t, focus_xevent_t, info_xproperty_t, manage_xevent_t; + type xproperty_t, focus_xevent_t, info_xproperty_t, manage_xevent_t;
+ type manage_xevent_t, output_xext_t, property_xevent_t; + type manage_xevent_t, output_xext_t, property_xevent_t;
+ type debug_xext_t, screensaver_xext_t;
+ type shmem_xext_t, xselection_t; + type shmem_xext_t, xselection_t;
+ attribute xevent_type, xextension_type; + attribute xevent_type, xextension_type;
+ ') + ')
@ -23835,7 +23846,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
####################################### #######################################
## <summary> ## <summary>
## Interface to provide X object permissions on a given X server to ## Interface to provide X object permissions on a given X server to
@@ -682,7 +803,7 @@ @@ -682,7 +804,7 @@
# #
template(`xserver_common_x_domain_template',` template(`xserver_common_x_domain_template',`
gen_require(` gen_require(`
@ -23844,7 +23855,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type xproperty_t, info_xproperty_t, clipboard_xproperty_t; type xproperty_t, info_xproperty_t, clipboard_xproperty_t;
type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t; type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t;
type xevent_t, client_xevent_t; type xevent_t, client_xevent_t;
@@ -691,7 +812,6 @@ @@ -691,7 +813,6 @@
attribute x_server_domain, x_domain; attribute x_server_domain, x_domain;
attribute xproperty_type; attribute xproperty_type;
attribute xevent_type, xextension_type; attribute xevent_type, xextension_type;
@ -23852,7 +23863,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
class x_drawable all_x_drawable_perms; class x_drawable all_x_drawable_perms;
class x_screen all_x_screen_perms; class x_screen all_x_screen_perms;
@@ -708,6 +828,7 @@ @@ -708,6 +829,7 @@
class x_resource all_x_resource_perms; class x_resource all_x_resource_perms;
class x_event all_x_event_perms; class x_event all_x_event_perms;
class x_synthetic_event all_x_synthetic_event_perms; class x_synthetic_event all_x_synthetic_event_perms;
@ -23860,7 +23871,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
############################## ##############################
@@ -715,20 +836,22 @@ @@ -715,20 +837,22 @@
# Declarations # Declarations
# #
@ -23886,7 +23897,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
############################## ##############################
# #
# Local Policy # Local Policy
@@ -746,7 +869,7 @@ @@ -746,7 +870,7 @@
allow $3 x_server_domain:x_server getattr; allow $3 x_server_domain:x_server getattr;
# everyone can do override-redirect windows. # everyone can do override-redirect windows.
# this could be used to spoof labels # this could be used to spoof labels
@ -23895,7 +23906,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# everyone can receive management events on the root window # everyone can receive management events on the root window
# allows to know when new windows appear, among other things # allows to know when new windows appear, among other things
allow $3 manage_xevent_t:x_event receive; allow $3 manage_xevent_t:x_event receive;
@@ -755,36 +878,30 @@ @@ -755,36 +879,30 @@
# can read server-owned resources # can read server-owned resources
allow $3 x_server_domain:x_resource read; allow $3 x_server_domain:x_resource read;
# can mess with own clients # can mess with own clients
@ -23942,7 +23953,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# X Input # X Input
# can receive own events # can receive own events
@@ -811,6 +928,12 @@ @@ -811,6 +929,12 @@
allow $3 manage_xevent_t:x_synthetic_event send; allow $3 manage_xevent_t:x_synthetic_event send;
allow $3 client_xevent_t:x_synthetic_event send; allow $3 client_xevent_t:x_synthetic_event send;
@ -23955,7 +23966,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# X Selections # X Selections
# can use the clipboard # can use the clipboard
allow $3 clipboard_xselection_t:x_selection { getattr setattr read }; allow $3 clipboard_xselection_t:x_selection { getattr setattr read };
@@ -819,13 +942,15 @@ @@ -819,13 +943,15 @@
# Other X Objects # Other X Objects
# can create and use cursors # can create and use cursors
@ -23975,7 +23986,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`! xserver_object_manager',` tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined($3), # should be xserver_unconfined($3),
@@ -885,24 +1010,17 @@ @@ -885,24 +1011,17 @@
# #
template(`xserver_user_x_domain_template',` template(`xserver_user_x_domain_template',`
gen_require(` gen_require(`
@ -24007,7 +24018,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Allow connections to X server. # Allow connections to X server.
files_search_tmp($3) files_search_tmp($3)
@@ -917,16 +1035,12 @@ @@ -917,16 +1036,12 @@
xserver_rw_session_template($1, $3, $4) xserver_rw_session_template($1, $3, $4)
xserver_use_user_fonts($1, $3) xserver_use_user_fonts($1, $3)
@ -24027,7 +24038,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -958,26 +1072,43 @@ @@ -958,26 +1073,43 @@
# #
template(`xserver_use_user_fonts',` template(`xserver_use_user_fonts',`
gen_require(` gen_require(`
@ -24078,7 +24089,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Transition to a user Xauthority domain. ## Transition to a user Xauthority domain.
## </summary> ## </summary>
## <desc> ## <desc>
@@ -1003,10 +1134,77 @@ @@ -1003,10 +1135,77 @@
# #
template(`xserver_domtrans_user_xauth',` template(`xserver_domtrans_user_xauth',`
gen_require(` gen_require(`
@ -24158,7 +24169,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -1036,10 +1234,10 @@ @@ -1036,10 +1235,10 @@
# #
template(`xserver_user_home_dir_filetrans_user_xauth',` template(`xserver_user_home_dir_filetrans_user_xauth',`
gen_require(` gen_require(`
@ -24171,7 +24182,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -1225,6 +1423,25 @@ @@ -1225,6 +1424,25 @@
######################################## ########################################
## <summary> ## <summary>
@ -24197,7 +24208,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read xdm-writable configuration files. ## Read xdm-writable configuration files.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -1279,6 +1496,7 @@ @@ -1279,6 +1497,7 @@
files_search_tmp($1) files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms; allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t) create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
@ -24205,7 +24216,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -1297,7 +1515,7 @@ @@ -1297,7 +1516,7 @@
') ')
files_search_pids($1) files_search_pids($1)
@ -24214,7 +24225,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -1320,6 +1538,24 @@ @@ -1320,6 +1539,24 @@
######################################## ########################################
## <summary> ## <summary>
@ -24239,7 +24250,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Execute the X server in the XDM X server domain. ## Execute the X server in the XDM X server domain.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -1330,15 +1566,47 @@ @@ -1330,15 +1567,47 @@
# #
interface(`xserver_domtrans_xdm_xserver',` interface(`xserver_domtrans_xdm_xserver',`
gen_require(` gen_require(`
@ -24288,7 +24299,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Make an X session script an entrypoint for the specified domain. ## Make an X session script an entrypoint for the specified domain.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -1488,7 +1756,7 @@ @@ -1488,7 +1757,7 @@
type xdm_xserver_tmp_t; type xdm_xserver_tmp_t;
') ')
@ -24297,7 +24308,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -1680,6 +1948,26 @@ @@ -1680,6 +1949,26 @@
######################################## ########################################
## <summary> ## <summary>
@ -24324,7 +24335,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## xdm xserver RW shared memory socket. ## xdm xserver RW shared memory socket.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -1698,6 +1986,24 @@ @@ -1698,6 +1987,24 @@
######################################## ########################################
## <summary> ## <summary>
@ -24349,7 +24360,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Interface to provide X object permissions on a given X server to ## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain complete control over the ## an X client domain. Gives the domain complete control over the
## display. ## display.
@@ -1710,8 +2016,157 @@ @@ -1710,8 +2017,157 @@
# #
interface(`xserver_unconfined',` interface(`xserver_unconfined',`
gen_require(` gen_require(`