From 04bbeb4daec461c9bb840baea5a9d1cf0a35f47f Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Nov 10 2008 21:51:07 +0000 Subject: - Change default boolean settings for xguest - Allow mount to r/w image files - Fix labes for several libraries that need textrel_shlib_t - portreserve needs to be able to sendrecv unlabeled_t - Fix Kerberos labeling - Fix cups printing on hp printers - Allow relabeling on blk devices on the homedir - Allow nslpugin to r/w inodefs --- diff --git a/policy-20080710.patch b/policy-20080710.patch index 30c0c25..a465d22 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -4424,8 +4424,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.5.13/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.te 2008-11-06 12:46:21.000000000 -0500 -@@ -0,0 +1,272 @@ ++++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.te 2008-11-10 10:40:02.000000000 -0500 +@@ -0,0 +1,274 @@ + +policy_module(nsplugin, 1.0.0) + @@ -4535,6 +4535,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +fs_getattr_tmpfs(nsplugin_t) +fs_getattr_xattr_fs(nsplugin_t) +fs_search_auto_mountpoints(nsplugin_t) ++fs_rw_anon_inodefs_files(nsplugin_t) + +storage_dontaudit_getattr_fixed_disk_dev(nsplugin_t) + @@ -4657,6 +4658,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +miscfiles_read_fonts(nsplugin_config_t) + +userdom_search_all_users_home_content(nsplugin_config_t) ++unprivuser_read_home_content_files(nsplugin_config_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(nsplugin_t) @@ -5327,7 +5329,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.5.13/policy/modules/apps/qemu.te --- nsaserefpolicy/policy/modules/apps/qemu.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/qemu.te 2008-10-28 10:56:19.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/qemu.te 2008-11-10 09:31:53.000000000 -0500 @@ -6,6 +6,8 @@ # Declarations # @@ -7263,7 +7265,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /etc/localtime -l gen_context(system_u:object_r:etc_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.5.13/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/files.if 2008-10-29 12:09:50.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/kernel/files.if 2008-11-10 15:37:12.000000000 -0500 @@ -110,6 +110,11 @@ ## # @@ -7276,7 +7278,51 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_type($1) ') -@@ -1060,6 +1065,24 @@ +@@ -928,8 +933,8 @@ + relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) + relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) + relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) +- relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 }) +- relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 }) ++ relabel_blk_files_pattern($1, { file_type $2 }, { file_type $2 }) ++ relabel_chr_files_pattern($1, { file_type $2 }, { file_type $2 }) + + # satisfy the assertions: + seutil_relabelto_bin_policy($1) +@@ -953,6 +958,32 @@ + ## + ## + # ++interface(`files_rw_all_files',` ++ gen_require(` ++ attribute file_type; ++ ') ++ ++ rw_files_pattern($1, { file_type $2 }, { file_type $2 }) ++') ++ ++######################################## ++## ++## Manage all files on the filesystem, except ++## the listed exceptions. ++## ++## ++## ++## The type of the domain perfoming this action. ++## ++## ++## ++## ++## The types to be excluded. Each type or attribute ++## must be negated by the caller. ++## ++## ++## ++# + interface(`files_manage_all_files',` + gen_require(` + attribute file_type; +@@ -1060,6 +1091,24 @@ ## ## # @@ -7301,7 +7347,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol interface(`files_relabelto_all_file_type_fs',` gen_require(` attribute file_type; -@@ -1303,6 +1326,24 @@ +@@ -1303,6 +1352,24 @@ ######################################## ## @@ -7326,7 +7372,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Unmount a rootfs filesystem. ## ## -@@ -1889,6 +1930,26 @@ +@@ -1889,6 +1956,26 @@ ######################################## ## @@ -7353,7 +7399,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to write generic files in /etc. ## ## -@@ -2224,6 +2285,49 @@ +@@ -2224,6 +2311,49 @@ ######################################## ## @@ -7403,7 +7449,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to search directories on new filesystems ## that have not yet been labeled. ## -@@ -2744,6 +2848,24 @@ +@@ -2744,6 +2874,24 @@ ######################################## ## @@ -7428,7 +7474,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create, read, write, and delete symbolic links in /mnt. ## ## -@@ -3394,6 +3516,8 @@ +@@ -3394,6 +3542,8 @@ delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -7437,7 +7483,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3471,6 +3595,47 @@ +@@ -3471,6 +3621,47 @@ ######################################## ## @@ -7485,7 +7531,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Get the attributes of files in /usr. ## ## -@@ -3547,6 +3712,24 @@ +@@ -3547,6 +3738,24 @@ ######################################## ## @@ -7510,7 +7556,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Relabel a file to the type used in /usr. ## ## -@@ -4433,6 +4616,25 @@ +@@ -4433,6 +4642,25 @@ ######################################## ## @@ -7536,7 +7582,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read and write generic process ID files. ## ## -@@ -4761,12 +4963,14 @@ +@@ -4761,12 +4989,14 @@ allow $1 poly_t:dir { create mounton }; fs_unmount_xattr_fs($1) @@ -7552,7 +7598,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -4787,3 +4991,71 @@ +@@ -4787,3 +5017,71 @@ typeattribute $1 files_unconfined_type; ') @@ -9996,8 +10042,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.5.13/policy/modules/roles/xguest.te --- nsaserefpolicy/policy/modules/roles/xguest.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/roles/xguest.te 2008-10-28 11:05:26.000000000 -0400 -@@ -0,0 +1,83 @@ ++++ serefpolicy-3.5.13/policy/modules/roles/xguest.te 2008-11-10 11:13:37.000000000 -0500 +@@ -0,0 +1,87 @@ + +policy_module(xguest, 1.0.0) + @@ -10006,21 +10052,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## Allow xguest users to mount removable media +##

+## -+gen_tunable(xguest_mount_media, false) ++gen_tunable(xguest_mount_media, true) + +## +##

+## Allow xguest to configure Network Manager +##

+## -+gen_tunable(xguest_connect_network, false) ++gen_tunable(xguest_connect_network, true) + +## +##

+## Allow xguest to use blue tooth devices +##

+## -+gen_tunable(xguest_use_bluetooth, false) ++gen_tunable(xguest_use_bluetooth, true) + +######################################## +# @@ -10048,6 +10094,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + mono_per_role_template(xguest, xguest_t, xguest_r) +') + ++optional_policy(` ++ nsplugin_per_role_template($1, $1_usertype, $1_r) ++') ++ +# Allow mounting of file systems +optional_policy(` + tunable_policy(`xguest_mount_media',` @@ -13770,7 +13820,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.5.13/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/cups.te 2008-10-29 13:51:55.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/cups.te 2008-11-10 14:07:38.000000000 -0500 @@ -20,6 +20,12 @@ type cupsd_etc_t; files_config_file(cupsd_etc_t) @@ -13870,7 +13920,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) - -+allow cupsd_t hplip_t:process sigkill; ++allow cupsd_t hplip_t:process {signal sigkill }; allow cupsd_t hplip_var_run_t:file read_file_perms; stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) @@ -14073,16 +14123,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -500,7 +558,7 @@ +@@ -500,7 +558,8 @@ allow hplip_t self:udp_socket create_socket_perms; allow hplip_t self:rawip_socket create_socket_perms; -allow hplip_t cupsd_etc_t:dir search; +allow hplip_t cupsd_etc_t:dir search_dir_perms; ++allow hplip_t cupsd_tmp_t:file rw_file_perms; cups_stream_connect(hplip_t) -@@ -509,6 +567,8 @@ +@@ -509,6 +568,8 @@ read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) files_search_etc(hplip_t) @@ -14091,7 +14142,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) files_pid_filetrans(hplip_t, hplip_var_run_t, file) -@@ -538,7 +598,8 @@ +@@ -538,7 +599,8 @@ dev_read_urand(hplip_t) dev_read_rand(hplip_t) dev_rw_generic_usb_dev(hplip_t) @@ -14101,7 +14152,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(hplip_t) fs_search_auto_mountpoints(hplip_t) -@@ -564,12 +625,14 @@ +@@ -564,12 +626,14 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t) userdom_dontaudit_search_all_users_home_content(hplip_t) @@ -14117,7 +14168,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -651,3 +714,44 @@ +@@ -651,3 +715,44 @@ optional_policy(` udev_read_db(ptal_t) ') @@ -15206,7 +15257,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.5.13/policy/modules/services/dnsmasq.te --- nsaserefpolicy/policy/modules/services/dnsmasq.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/dnsmasq.te 2008-10-28 10:56:19.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/dnsmasq.te 2008-11-10 10:52:53.000000000 -0500 @@ -10,6 +10,9 @@ type dnsmasq_exec_t; init_daemon_domain(dnsmasq_t, dnsmasq_exec_t) @@ -16371,6 +16422,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(inetd_child_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.5.13/policy/modules/services/kerberos.fc +--- nsaserefpolicy/policy/modules/services/kerberos.fc 2008-10-10 15:53:03.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/kerberos.fc 2008-11-10 14:48:44.000000000 -0500 +@@ -20,7 +20,7 @@ + /var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) + /var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0) + /var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) +-/var/kerberos/krb5kdc/principal\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0) ++/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) + + /var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0) + /var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.5.13/policy/modules/services/kerberos.te --- nsaserefpolicy/policy/modules/services/kerberos.te 2008-10-14 11:58:09.000000000 -0400 +++ serefpolicy-3.5.13/policy/modules/services/kerberos.te 2008-10-28 10:56:19.000000000 -0400 @@ -19284,8 +19347,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.5.13/policy/modules/services/portreserve.te --- nsaserefpolicy/policy/modules/services/portreserve.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/portreserve.te 2008-10-28 11:20:02.000000000 -0400 -@@ -0,0 +1,53 @@ ++++ serefpolicy-3.5.13/policy/modules/services/portreserve.te 2008-11-10 11:16:45.000000000 -0500 +@@ -0,0 +1,55 @@ +policy_module(portreserve,1.0.0) + +######################################## @@ -19323,6 +19386,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +manage_sock_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) +files_pid_filetrans(portreserve_t,portreserve_var_run_t, { file sock_file }) + ++corenet_sendrecv_unlabeled_packets(portreserve_t) ++corenet_all_recvfrom_netlabel(portreserve_t) +corenet_tcp_bind_all_ports(portreserve_t) +corenet_tcp_bind_all_ports(portreserve_t) +corenet_udp_bind_all_nodes(portreserve_t) @@ -28166,7 +28231,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow iscsid_t iscsi_tmp_t:dir manage_dir_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.13/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2008-08-13 15:24:56.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/libraries.fc 2008-11-05 11:29:07.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/system/libraries.fc 2008-11-10 09:54:43.000000000 -0500 @@ -60,12 +60,15 @@ # # /opt @@ -28211,7 +28276,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -133,6 +145,7 @@ +@@ -127,12 +139,14 @@ + /usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -28219,7 +28291,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -168,7 +181,8 @@ +@@ -168,7 +182,8 @@ # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php /usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -28229,7 +28301,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -187,6 +201,7 @@ +@@ -187,6 +202,7 @@ /usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -28237,7 +28309,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -246,7 +261,7 @@ +@@ -246,7 +262,7 @@ # Flash plugin, Macromedia HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -28246,7 +28318,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -267,6 +282,8 @@ +@@ -267,6 +283,8 @@ /usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -28255,7 +28327,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Java, Sun Microsystems (JPackage SRPM) /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -291,6 +308,8 @@ +@@ -291,6 +309,8 @@ /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -28264,7 +28336,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') dnl end distro_redhat # -@@ -310,3 +329,18 @@ +@@ -310,3 +330,18 @@ /var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) @@ -28423,7 +28495,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.5.13/policy/modules/system/logging.fc --- nsaserefpolicy/policy/modules/system/logging.fc 2008-09-24 09:07:28.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/logging.fc 2008-11-07 08:13:03.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/system/logging.fc 2008-11-07 08:13:26.000000000 -0500 @@ -53,15 +53,18 @@ /var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0) ') @@ -28941,7 +29013,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol samba_run_smbmount($1, $2, $3) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.5.13/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/mount.te 2008-10-28 10:56:19.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/mount.te 2008-11-10 15:37:25.000000000 -0500 @@ -18,17 +18,18 @@ init_system_domain(mount_t,mount_exec_t) role system_r types mount_t; @@ -29050,7 +29122,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_redhat',` optional_policy(` -@@ -167,6 +182,8 @@ +@@ -138,6 +153,7 @@ + auth_read_all_dirs_except_shadow(mount_t) + auth_read_all_files_except_shadow(mount_t) + files_mounton_non_security(mount_t) ++ files_rw_all_files(mount_t) + ') + + optional_policy(` +@@ -167,6 +183,8 @@ fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -29059,7 +29139,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -181,6 +198,11 @@ +@@ -181,6 +199,11 @@ ') ') @@ -29071,7 +29151,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # for kernel package installation optional_policy(` rpm_rw_pipes(mount_t) -@@ -188,6 +210,7 @@ +@@ -188,6 +211,7 @@ optional_policy(` samba_domtrans_smbmount(mount_t) @@ -29079,7 +29159,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -198,4 +221,26 @@ +@@ -198,4 +222,26 @@ optional_policy(` files_etc_filetrans_etc_runtime(unconfined_mount_t,file) unconfined_domain(unconfined_mount_t) @@ -29577,7 +29657,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.5.13/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/selinuxutil.te 2008-10-28 10:56:19.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/selinuxutil.te 2008-11-10 12:22:40.000000000 -0500 @@ -23,6 +23,9 @@ type selinux_config_t; files_type(selinux_config_t) @@ -31124,7 +31204,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.13/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2008-11-03 17:15:19.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2008-11-10 11:10:03.000000000 -0500 @@ -28,10 +28,14 @@ class context contains; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index aed0025..e1d8a85 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -457,6 +457,16 @@ exit 0 %endif %changelog +* Mon Nov 10 2008 Dan Walsh 3.5.13-20 +- Change default boolean settings for xguest +- Allow mount to r/w image files +- Fix labes for several libraries that need textrel_shlib_t +- portreserve needs to be able to sendrecv unlabeled_t +- Fix Kerberos labeling +- Fix cups printing on hp printers +- Allow relabeling on blk devices on the homedir +- Allow nslpugin to r/w inodefs + * Fri Nov 5 2008 Dan Walsh 3.5.13-19 - Fix labeling on /var/spool/rsyslog