- Additional rules for consolekit/udev, privoxy and various other fixes

2009-06-15 20:04:07 +00:00 · 2009-06-15 20:04:07 +00:00 · f8df9e54c4
commit f8df9e54c4
parent d54def1c6f
2 changed files with 92 additions and 19 deletions
--- a/policy-F12.patch
+++ b/policy-F12.patch
@ -7539,8 +7539,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.16/policy/modules/roles/unconfineduser.te
 --- nsaserefpolicy/policy/modules/roles/unconfineduser.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.16/policy/modules/roles/unconfineduser.te	2009-06-12 15:59:08.000000000 -0400
+++ serefpolicy-3.6.16/policy/modules/roles/unconfineduser.te	2009-06-15 15:37:34.000000000 -0400
-@@ -0,0 +1,403 @@
+@@ -0,0 +1,407 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@ -7798,6 +7798,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
 +optional_policy(`
 +	ppp_run(unconfined_t, unconfined_r)
 +')
 +
 +optional_policy(`
 +	qemu_role_notrans(unconfined_r, unconfined_t)
 +	qemu_unconfined_role(unconfined_r)
 +
@ -12151,6 +12155,41 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	spamassassin_read_spamd_tmp_files(dcc_client_t)
 ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.if serefpolicy-3.6.16/policy/modules/services/ddclient.if
 --- nsaserefpolicy/policy/modules/services/ddclient.if	2008-10-08 19:00:27.000000000 -0400
 +++ serefpolicy-3.6.16/policy/modules/services/ddclient.if	2009-06-15 15:36:38.000000000 -0400
@@ -21,6 +21,31 @@
 ########################################
 ## <summary>
 +##	 Execute ddclient daemon on behalf of a user or staff type.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	 Domain allowed access.
 +##	</summary>
 +## </param>
 +## <param name="role">
 +##	<summary>
 +##	The role to allow the ppp domain.
 +##	</summary>
 +## </param>
 +## <rolecap/>
 +#
 +interface(`ddclient_run',`
 +	gen_require(`
 +		type ddclient_t;
 +	')
 +
 +	ddclient_domtrans($1)
 +	role $2 types ddclient_t;
 +')
 +
 +########################################
 +## <summary>
 ##	All of the rules required to administrate 
 ##	an ddclient environment
 ## </summary>
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.6.16/policy/modules/services/devicekit.fc
 --- nsaserefpolicy/policy/modules/services/devicekit.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.6.16/policy/modules/services/devicekit.fc	2009-06-12 15:59:08.000000000 -0400
@ -13845,7 +13884,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.16/policy/modules/services/kerberos.te
 --- nsaserefpolicy/policy/modules/services/kerberos.te	2009-03-23 13:47:11.000000000 -0400
-+++ serefpolicy-3.6.16/policy/modules/services/kerberos.te	2009-06-12 15:59:08.000000000 -0400
+++ serefpolicy-3.6.16/policy/modules/services/kerberos.te	2009-06-15 15:01:15.000000000 -0400
@@ -33,6 +33,7 @@
 type kpropd_t;
 type kpropd_exec_t;
@ -13864,14 +13903,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # kadmind local policy
-@@ -281,6 +285,7 @@
+@@ -281,7 +285,9 @@
 allow kpropd_t krb5_keytab_t:file read_file_perms;
 +manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t)
 manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_principal_t)
 +filetrans_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t, file)
 corecmd_exec_bin(kpropd_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.if serefpolicy-3.6.16/policy/modules/services/kerneloops.if
 --- nsaserefpolicy/policy/modules/services/kerneloops.if	2009-01-05 15:39:43.000000000 -0500
 +++ serefpolicy-3.6.16/policy/modules/services/kerneloops.if	2009-06-12 15:59:08.000000000 -0400
@ -17538,7 +17579,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # /sbin
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.16/policy/modules/services/ppp.if
 --- nsaserefpolicy/policy/modules/services/ppp.if	2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.16/policy/modules/services/ppp.if	2009-06-12 15:59:08.000000000 -0400
+++ serefpolicy-3.6.16/policy/modules/services/ppp.if	2009-06-15 15:36:20.000000000 -0400
@@ -58,6 +58,25 @@
 ########################################
@ -17565,7 +17606,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Send a generic signal to PPP.
 ## </summary>
 ## <param name="domain">
-@@ -298,6 +317,24 @@
+@@ -158,10 +177,16 @@
 interface(`ppp_run',`
 	gen_require(`
 		type pppd_t;
 +		type pptp_t;
 	')
 	ppp_domtrans($1)
 	role $2 types pppd_t;
 +	role $2 types pptp_t;
 +
 +	optional_policy(`
 +		ddclient_run(pppd_t, $2)
 +	')
 ')
 ########################################
@@ -298,6 +323,24 @@
 ########################################
 ## <summary>
@ -17590,7 +17648,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	All of the rules required to administrate 
 ##	an ppp environment
 ## </summary>
-@@ -315,33 +352,39 @@
+@@ -315,33 +358,39 @@
 		type pppd_etc_rw_t, pppd_var_run_t;
 		type pptp_t, pptp_log_t, pptp_var_run_t;
@ -17641,7 +17699,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.6.16/policy/modules/services/ppp.te
 --- nsaserefpolicy/policy/modules/services/ppp.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.16/policy/modules/services/ppp.te	2009-06-12 15:59:08.000000000 -0400
+++ serefpolicy-3.6.16/policy/modules/services/ppp.te	2009-06-15 14:52:23.000000000 -0400
@@ -37,8 +37,8 @@
 type pppd_etc_rw_t;
 files_type(pppd_etc_rw_t)
@ -18194,7 +18252,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 		mysql_search_db(httpd_prewikka_script_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.6.16/policy/modules/services/privoxy.te
 --- nsaserefpolicy/policy/modules/services/privoxy.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.16/policy/modules/services/privoxy.te	2009-06-12 15:59:08.000000000 -0400
+++ serefpolicy-3.6.16/policy/modules/services/privoxy.te	2009-06-15 15:19:59.000000000 -0400
@@ -6,6 +6,14 @@
 # Declarations
 #
@ -18210,7 +18268,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 type privoxy_t; # web_client_domain
 type privoxy_exec_t;
 init_daemon_domain(privoxy_t, privoxy_exec_t)
-@@ -72,21 +80,18 @@
+@@ -39,9 +47,8 @@
 manage_files_pattern(privoxy_t, privoxy_var_run_t, privoxy_var_run_t)
 files_pid_filetrans(privoxy_t, privoxy_var_run_t, file)
 +kernel_read_system_state(privoxy_t)
 kernel_read_kernel_sysctls(privoxy_t)
 -kernel_list_proc(privoxy_t)
 -kernel_read_proc_symlinks(privoxy_t)
 corenet_all_recvfrom_unlabeled(privoxy_t)
 corenet_all_recvfrom_netlabel(privoxy_t)
@@ -72,21 +79,18 @@
 logging_send_syslog_msg(privoxy_t)
@ -24289,7 +24358,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.16/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2009-06-12 15:45:03.000000000 -0400
-+++ serefpolicy-3.6.16/policy/modules/system/authlogin.if	2009-06-12 16:03:57.000000000 -0400
+++ serefpolicy-3.6.16/policy/modules/system/authlogin.if	2009-06-15 15:31:30.000000000 -0400
@@ -46,11 +46,23 @@
 	')
@ -24331,7 +24400,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	init_rw_utmp($1)
-@@ -105,9 +120,46 @@
+@@ -105,9 +120,47 @@
 	seutil_read_config($1)
 	seutil_read_default_contexts($1)
@ -24362,6 +24431,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	optional_policy(`
 +		kerberos_manage_host_rcache($1)
 +		kerberos_read_config($1)
 +	')
 +
 +	optional_policy(`
@ -24380,7 +24450,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -305,19 +356,16 @@
+@@ -305,19 +357,16 @@
 	dev_read_rand($1)
 	dev_read_urand($1)
@ -24405,7 +24475,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 	optional_policy(`
-@@ -328,6 +376,29 @@
+@@ -328,6 +377,29 @@
 	optional_policy(`
 		samba_stream_connect_winbind($1)
 	')
@ -24435,7 +24505,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -352,6 +423,7 @@
+@@ -352,6 +424,7 @@
 	auth_domtrans_chk_passwd($1)
 	role $2 types chkpwd_t;
@ -24443,7 +24513,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -1129,6 +1201,32 @@
+@@ -1129,6 +1202,32 @@
 ########################################
 ## <summary>
@ -24476,7 +24546,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Manage all files on the filesystem, except
 ##	the shadow passwords and listed exceptions.
 ## </summary>
-@@ -1395,6 +1493,14 @@
+@@ -1395,6 +1494,14 @@
 	')
 	optional_policy(`
@ -24491,7 +24561,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 		nis_use_ypbind($1)
 	')
-@@ -1403,8 +1509,13 @@
+@@ -1403,8 +1510,13 @@
 	')
 	optional_policy(`
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.16
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -473,6 +473,9 @@ exit 0
 %endif
 %changelog
 * Mon Jun 15 2009 Dan Walsh <dwalsh@redhat.com> 3.6.16-2
 - Additional rules for consolekit/udev, privoxy and various other fixes
 * Fri Jun 12 2009 Dan Walsh <dwalsh@redhat.com> 3.6.16-1
 - New version for upstream