From 2463bf03e2240bffca95a749e7aefab79c40ef1f Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jun 12 2009 13:08:57 +0000 Subject: - Allow udev to transition to bluetooth --- diff --git a/policy-20090521.patch b/policy-20090521.patch index c9ade97..480fbfd 100644 --- a/policy-20090521.patch +++ b/policy-20090521.patch @@ -109,6 +109,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0) /var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.12/policy/modules/apps/vmware.te +--- nsaserefpolicy/policy/modules/apps/vmware.te 2009-05-21 08:27:59.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/apps/vmware.te 2009-06-12 08:42:20.000000000 -0400 +@@ -136,7 +136,7 @@ + + miscfiles_read_localization(vmware_host_t) + +-sysnet_dns_name_resolve(vmware_host_t) ++auth_use_nsswitch(vmware_host_t) + + storage_getattr_fixed_disk_dev(vmware_host_t) + +@@ -160,6 +160,10 @@ + xserver_common_app(vmware_host_t) + ') + ++optional_policy(` ++ unconfined_domain(vmware_host_t) ++ unconfined_domain(vmware_t) ++') + + ifdef(`TODO',` + # VMWare need access to pcmcia devices for network diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-05-21 08:27:59.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc 2009-06-08 08:49:07.000000000 -0400 @@ -360,8 +383,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # a keyring diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-05-21 08:27:59.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-05-29 11:03:57.000000000 -0400 -@@ -5224,6 +5224,7 @@ ++++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-06-11 14:03:01.000000000 -0400 +@@ -1953,6 +1953,7 @@ + allow $1 etc_t:dir list_dir_perms; + read_files_pattern($1, etc_t, etc_t) + read_lnk_files_pattern($1, etc_t, etc_t) ++ files_read_etc_runtime_files($1) + ') + + ######################################## +@@ -5224,6 +5225,7 @@ attribute file_type; ') @@ -381,6 +412,35 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.12/policy/modules/kernel/terminal.if +--- nsaserefpolicy/policy/modules/kernel/terminal.if 2009-05-21 08:27:59.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/kernel/terminal.if 2009-06-11 10:02:45.000000000 -0400 +@@ -571,6 +571,25 @@ + dontaudit $1 devpts_t:chr_file { getattr read write ioctl }; + ') + ++####################################### ++## ++## Set the attributes of the tty device ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`term_setattr_controlling_term',` ++ gen_require(` ++ type devtty_t; ++ ') ++ ++ dev_list_all_dev_nodes($1) ++ allow $1 devtty_t:chr_file setattr; ++') ++ + ######################################## + ## + ## Read and write the controlling diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.12/policy/modules/roles/staff.te --- nsaserefpolicy/policy/modules/roles/staff.te 2009-05-21 08:27:59.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/roles/staff.te 2009-06-01 08:41:46.000000000 -0400 @@ -545,7 +605,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.12/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 2009-05-21 08:27:59.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/devicekit.te 2009-05-21 12:57:07.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/devicekit.te 2009-06-11 08:32:09.000000000 -0400 @@ -55,7 +55,7 @@ # # DeviceKit-Power local policy @@ -555,6 +615,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow devicekit_power_t self:fifo_file rw_fifo_file_perms; allow devicekit_power_t self:unix_dgram_socket create_socket_perms; +@@ -77,6 +77,7 @@ + kernel_rw_kernel_sysctl(devicekit_power_t) + kernel_write_proc_files(devicekit_power_t) + ++dev_read_input(devicekit_power_t) + dev_rw_generic_usb_dev(devicekit_power_t) + dev_rw_netcontrol(devicekit_power_t) + dev_rw_sysfs(devicekit_power_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.12/policy/modules/services/fprintd.te --- nsaserefpolicy/policy/modules/services/fprintd.te 2009-05-21 08:27:59.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/fprintd.te 2009-06-04 13:23:04.000000000 -0400 @@ -743,6 +811,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dbus_system_bus_client(setroubleshootd_t) dbus_connect_system_bus(setroubleshootd_t) dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.te serefpolicy-3.6.12/policy/modules/services/shorewall.te +--- nsaserefpolicy/policy/modules/services/shorewall.te 2009-05-21 08:27:59.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/shorewall.te 2009-06-12 07:59:58.000000000 -0400 +@@ -35,6 +35,7 @@ + + allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace}; + dontaudit shorewall_t self:capability sys_tty_config; ++allow shorewall_t self:process signal; + + allow shorewall_t self:fifo_file rw_fifo_file_perms; + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.12/policy/modules/services/spamassassin.fc --- nsaserefpolicy/policy/modules/services/spamassassin.fc 2009-05-21 08:27:59.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/spamassassin.fc 2009-05-21 08:31:58.000000000 -0400 @@ -751,6 +830,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) /etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.12/policy/modules/services/uucp.te +--- nsaserefpolicy/policy/modules/services/uucp.te 2009-05-21 08:27:59.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/uucp.te 2009-06-10 16:13:54.000000000 -0400 +@@ -95,6 +95,8 @@ + files_search_home(uucpd_t) + files_search_spool(uucpd_t) + ++term_setattr_controlling_term(uucpd_t) ++ + auth_use_nsswitch(uucpd_t) + + logging_send_syslog_msg(uucpd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-05-21 08:27:59.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-06-09 06:54:00.000000000 -0400 @@ -866,7 +957,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ipsec_setcontext_default_spd(setkey_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.12/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2009-05-21 08:27:59.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/system/libraries.fc 2009-06-08 08:45:27.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/libraries.fc 2009-06-12 09:03:04.000000000 -0400 @@ -139,6 +139,7 @@ /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -875,7 +966,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -366,6 +367,7 @@ +@@ -190,6 +191,7 @@ + /usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib64/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +@@ -366,9 +368,10 @@ /usr/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -883,6 +982,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib/libcncpmslld328\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/ICAClient/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) + +- ++/usr/lib(64)?/midori/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.12/policy/modules/system/locallogin.te --- nsaserefpolicy/policy/modules/system/locallogin.te 2009-05-21 08:27:59.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/system/locallogin.te 2009-05-28 21:07:39.000000000 -0400 @@ -918,6 +1021,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # for access("/etc/bashrc", X_OK) on Red Hat dontaudit dhcpc_t self:capability { dac_read_search sys_module }; allow dhcpc_t self:process { setfscreate ptrace signal_perms }; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.12/policy/modules/system/udev.te +--- nsaserefpolicy/policy/modules/system/udev.te 2009-05-21 08:27:59.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/udev.te 2009-06-12 07:55:17.000000000 -0400 +@@ -196,6 +196,10 @@ + ') + + optional_policy(` ++ bluetooth_domtrans(udev_t) ++') ++ ++optional_policy(` + brctl_domtrans(udev_t) + ') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-05-21 08:27:59.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-06-01 08:19:34.000000000 -0400 diff --git a/selinux-policy.spec b/selinux-policy.spec index 63e52bc..f91a4e7 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.12 -Release: 48%{?dist} +Release: 50%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -475,6 +475,12 @@ exit 0 %endif %changelog +* Fri Jun 12 2009 Dan Walsh 3.6.12-50 +- Allow udev to transition to bluetooth + +* Thu Jun 4 2009 Dan Walsh 3.6.12-49 +- Add labeling for midori shared libraries + * Thu Jun 4 2009 Dan Walsh 3.6.12-48 - Allow setroubleshoot to run mlocate