From 0d7ef94e3c9699903a420284662c1e9bf0552190 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Oct 20 2009 12:12:58 +0000 Subject: - Allow ccs to communicate with userdomains, and create tmpfs_t - Add /dev/noz* as a modem_device_t and allow modemmanager to rw it. - Add mapping for /var/run/lircd --- diff --git a/modules-mls.conf b/modules-mls.conf index e332e52..cb3d132 100644 --- a/modules-mls.conf +++ b/modules-mls.conf @@ -1861,3 +1861,9 @@ clogd = module # ricci = module +# Layer: services +# Module: rhcs +# +# RHCS - Red Hat Cluster Suite +# +rhcs = module diff --git a/policy-F12.patch b/policy-F12.patch index 723d568..d78a57d 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -26535,7 +26535,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.32/policy/modules/system/selinuxutil.if --- nsaserefpolicy/policy/modules/system/selinuxutil.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.if 2009-10-08 15:35:18.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.if 2009-10-20 08:04:03.000000000 -0400 @@ -351,6 +351,27 @@ ######################################## @@ -28652,7 +28652,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +HOME_DIR/\.gvfs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-10-19 14:14:08.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-10-20 08:04:43.000000000 -0400 @@ -30,8 +30,9 @@ ') @@ -29216,27 +29216,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + optional_policy(` + alsa_read_rw_config($1_usertype) ++ ') ++ ++ optional_policy(` ++ # Allow graphical boot to check battery lifespan ++ apm_stream_connect($1_usertype) ') - tunable_policy(`user_ttyfile_stat',` - term_getattr_all_user_ttys($1_t) + optional_policy(` -+ # Allow graphical boot to check battery lifespan -+ apm_stream_connect($1_usertype) ++ canna_stream_connect($1_usertype) ') optional_policy(` - alsa_read_rw_config($1_t) -+ canna_stream_connect($1_usertype) ++ chrome_role($1_r, $1_usertype) ') optional_policy(` - # Allow graphical boot to check battery lifespan - apm_stream_connect($1_t) -+ chrome_role($1_r, $1_usertype) -+ ') -+ -+ optional_policy(` + dbus_system_bus_client($1_usertype) + + allow $1_usertype $1_usertype:dbus send_msg; @@ -29312,21 +29312,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` - modutils_read_module_config($1_t) + modutils_read_module_config($1_usertype) ++ ') ++ ++ optional_policy(` ++ mta_rw_spool($1_usertype) ++ mta_manage_queue($1_usertype) ') optional_policy(` - mta_rw_spool($1_t) -+ mta_rw_spool($1_usertype) -+ mta_manage_queue($1_usertype) ++ nsplugin_role($1_r, $1_usertype) ') optional_policy(` - tunable_policy(`allow_user_mysql_connect',` - mysql_stream_connect($1_t) -+ nsplugin_role($1_r, $1_usertype) -+ ') -+ -+ optional_policy(` + tunable_policy(`allow_user_postgresql_connect',` + postgresql_stream_connect($1_usertype) ') @@ -29392,12 +29392,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - userdom_manage_home_role($1_r, $1_t) + userdom_manage_home_role($1_r, $1_usertype) ++ ++ userdom_manage_tmp_role($1_r, $1_usertype) ++ userdom_manage_tmpfs_role($1_r, $1_usertype) - userdom_manage_tmp_role($1_r, $1_t) - userdom_manage_tmpfs_role($1_r, $1_t) -+ userdom_manage_tmp_role($1_r, $1_usertype) -+ userdom_manage_tmpfs_role($1_r, $1_usertype) -+ + ifelse(`$1',`unconfined',`',` + gen_tunable(allow_$1_exec_content, true) + @@ -29566,7 +29566,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` loadkeys_run($1_t,$1_r) ') -@@ -865,51 +946,83 @@ +@@ -865,51 +946,84 @@ userdom_restricted_user_template($1) @@ -29583,12 +29583,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_role($1_r, $1_t) - auth_search_pam_console_data($1_t) + auth_search_pam_console_data($1_usertype) ++ ++ xserver_role($1_r, $1_t) ++ xserver_communicate($1_usertype, $1_usertype) - dev_read_sound($1_t) - dev_write_sound($1_t) -+ xserver_role($1_r, $1_t) -+ xserver_communicate($1_usertype, $1_usertype) -+ + dev_read_sound($1_usertype) + dev_write_sound($1_usertype) # gnome keyring wants to read this. @@ -29609,6 +29609,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol selinux_get_enforce_mode($1_t) + seutil_exec_restorecond($1_t) + seutil_read_file_contexts($1_t) ++ seutil_read_default_contexts($1_t) + + optional_policy(` + alsa_read_rw_config($1_usertype) @@ -29663,7 +29664,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -943,8 +1056,8 @@ +@@ -943,8 +1057,8 @@ # Declarations # @@ -29673,7 +29674,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_common_user_template($1) ############################## -@@ -953,58 +1066,67 @@ +@@ -953,58 +1067,67 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -29771,7 +29772,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1040,7 +1162,7 @@ +@@ -1040,7 +1163,7 @@ template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -29780,7 +29781,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ############################## -@@ -1049,8 +1171,7 @@ +@@ -1049,8 +1172,7 @@ # # Inherit rules for ordinary users. @@ -29790,7 +29791,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_obj_id_change_exemption($1_t) role system_r types $1_t; -@@ -1075,6 +1196,9 @@ +@@ -1075,6 +1197,9 @@ # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -29800,7 +29801,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1089,6 +1213,7 @@ +@@ -1089,6 +1214,7 @@ kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -29808,7 +29809,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1096,8 +1221,6 @@ +@@ -1096,8 +1222,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -29817,7 +29818,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1124,6 +1247,8 @@ +@@ -1124,6 +1248,8 @@ files_exec_usr_src_files($1_t) fs_getattr_all_fs($1_t) @@ -29826,7 +29827,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_set_all_quotas($1_t) fs_exec_noxattr($1_t) -@@ -1152,20 +1277,6 @@ +@@ -1152,20 +1278,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -29847,7 +29848,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` postgresql_unconfined($1_t) ') -@@ -1211,6 +1322,7 @@ +@@ -1211,6 +1323,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -29855,7 +29856,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1276,11 +1388,15 @@ +@@ -1276,11 +1389,15 @@ interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -29871,7 +29872,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1391,12 +1507,13 @@ +@@ -1391,12 +1508,13 @@ ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -29886,7 +29887,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -1429,6 +1546,14 @@ +@@ -1429,6 +1547,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -29901,7 +29902,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1444,9 +1569,11 @@ +@@ -1444,9 +1570,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -29913,7 +29914,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1503,6 +1630,25 @@ +@@ -1503,6 +1631,25 @@ allow $1 user_home_dir_t:dir relabelto; ') @@ -29939,7 +29940,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Create directories in the home dir root with -@@ -1577,6 +1723,8 @@ +@@ -1577,6 +1724,8 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -29948,7 +29949,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1670,6 +1818,7 @@ +@@ -1670,6 +1819,7 @@ type user_home_dir_t, user_home_t; ') @@ -29956,7 +29957,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') -@@ -1797,19 +1946,32 @@ +@@ -1797,19 +1947,32 @@ # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -29996,7 +29997,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1844,6 +2006,7 @@ +@@ -1844,6 +2007,7 @@ interface(`userdom_manage_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -30004,7 +30005,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') manage_files_pattern($1, user_home_t, user_home_t) -@@ -2391,27 +2554,7 @@ +@@ -2391,27 +2555,7 @@ ######################################## ## @@ -30033,7 +30034,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -2749,7 +2892,7 @@ +@@ -2749,7 +2893,7 @@ domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -30042,7 +30043,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow unpriv_userdomain $1:process sigchld; ') -@@ -2765,11 +2908,32 @@ +@@ -2765,11 +2909,32 @@ # interface(`userdom_search_user_home_content',` gen_require(` @@ -30077,7 +30078,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2897,7 +3061,25 @@ +@@ -2897,7 +3062,25 @@ type user_tmp_t; ') @@ -30104,7 +30105,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2934,6 +3116,7 @@ +@@ -2934,6 +3117,7 @@ ') read_files_pattern($1, userdomain, userdomain) @@ -30112,7 +30113,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_search_proc($1) ') -@@ -3064,3 +3247,559 @@ +@@ -3064,3 +3248,559 @@ allow $1 userdomain:dbus send_msg; ')