From 246af59819f2d4b7cdc828f81296752c29c2bb71 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Nov 21 2007 22:21:19 +0000 Subject: - Allow cupsd to sigkill hplip_t - Allow automount to create fifo files - Allow xguest to mount hal devices and read/write file systems - that do not support extended attributes. Allows kiosk users to - copy to usb media --- diff --git a/policy-20070703.patch b/policy-20070703.patch index 1d225e2..2b76051 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -6463,6 +6463,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audi dev_read_sound(entropyd_t) fs_getattr_all_fs(entropyd_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.fc serefpolicy-3.0.8/policy/modules/services/automount.fc +--- nsaserefpolicy/policy/modules/services/automount.fc 2007-10-22 13:21:39.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/automount.fc 2007-11-21 12:28:02.000000000 -0500 +@@ -12,4 +12,6 @@ + # /var + # + +-/var/run/autofs(/.*)? gen_context(system_u:object_r:automount_var_run_t,s0) ++/var/run/autofs.* gen_context(system_u:object_r:automount_var_run_t,s0) ++ ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.0.8/policy/modules/services/automount.if --- nsaserefpolicy/policy/modules/services/automount.if 2007-10-22 13:21:39.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/automount.if 2007-10-29 23:59:29.000000000 -0400 @@ -6490,14 +6501,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.0.8/policy/modules/services/automount.te --- nsaserefpolicy/policy/modules/services/automount.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/automount.te 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/automount.te 2007-11-21 12:31:35.000000000 -0500 @@ -52,7 +52,8 @@ files_root_filetrans(automount_t,automount_tmp_t,dir) manage_files_pattern(automount_t,automount_var_run_t,automount_var_run_t) -files_pid_filetrans(automount_t,automount_var_run_t,file) -+manage_sock_files_pattern(automount_t,automount_var_run_t,automount_var_run_t) -+files_pid_filetrans(automount_t,automount_var_run_t,{ file sock_file }) ++manage_fifo_files_pattern(automount_t,automount_var_run_t,automount_var_run_t) ++files_pid_filetrans(automount_t,automount_var_run_t,{ file fifo_file }) kernel_read_kernel_sysctls(automount_t) kernel_read_irq_sysctls(automount_t) @@ -7438,7 +7449,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.0.8/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/cups.te 2007-11-12 17:21:56.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/cups.te 2007-11-21 09:29:27.000000000 -0500 @@ -48,9 +48,8 @@ type hplip_t; type hplip_exec_t; @@ -7474,12 +7485,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups allow cupsd_t cupsd_exec_t:lnk_file read; manage_files_pattern(cupsd_t,cupsd_log_t,cupsd_log_t) -@@ -122,13 +120,13 @@ +@@ -122,13 +120,14 @@ manage_sock_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t) files_pid_filetrans(cupsd_t,cupsd_var_run_t,file) -read_files_pattern(cupsd_t,hplip_etc_t,hplip_etc_t) - ++allow cupsd_t hplip_t:process sigkill; allow cupsd_t hplip_var_run_t:file { read getattr }; stream_connect_pattern(cupsd_t,ptal_var_run_t,ptal_var_run_t,ptal_t) @@ -7490,7 +7502,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups kernel_read_system_state(cupsd_t) kernel_read_network_state(cupsd_t) kernel_read_all_sysctls(cupsd_t) -@@ -150,21 +148,26 @@ +@@ -150,21 +149,26 @@ corenet_tcp_bind_reserved_port(cupsd_t) corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) corenet_tcp_connect_all_ports(cupsd_t) @@ -7518,7 +7530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups mls_file_downgrade(cupsd_t) mls_file_write_all_levels(cupsd_t) mls_file_read_all_levels(cupsd_t) -@@ -174,6 +177,7 @@ +@@ -174,6 +178,7 @@ term_search_ptys(cupsd_t) auth_domtrans_chk_passwd(cupsd_t) @@ -7526,7 +7538,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups auth_dontaudit_read_pam_pid(cupsd_t) # Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp -@@ -187,7 +191,7 @@ +@@ -187,7 +192,7 @@ # read python modules files_read_usr_files(cupsd_t) # for /var/lib/defoma @@ -7535,7 +7547,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups files_list_world_readable(cupsd_t) files_read_world_readable_files(cupsd_t) files_read_world_readable_symlinks(cupsd_t) -@@ -196,12 +200,9 @@ +@@ -196,12 +201,9 @@ files_read_var_symlinks(cupsd_t) # for /etc/printcap files_dontaudit_write_etc_files(cupsd_t) @@ -7549,7 +7561,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups init_exec_script_files(cupsd_t) -@@ -221,17 +222,38 @@ +@@ -221,17 +223,38 @@ sysnet_read_config(cupsd_t) @@ -7588,7 +7600,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups apm_domtrans_client(cupsd_t) ') -@@ -263,16 +285,16 @@ +@@ -263,16 +286,16 @@ ') optional_policy(` @@ -7609,7 +7621,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups seutil_sigchld_newrole(cupsd_t) ') -@@ -331,6 +353,7 @@ +@@ -331,6 +354,7 @@ dev_read_sysfs(cupsd_config_t) dev_read_urand(cupsd_config_t) dev_read_rand(cupsd_config_t) @@ -7617,7 +7629,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups fs_getattr_all_fs(cupsd_config_t) fs_search_auto_mountpoints(cupsd_config_t) -@@ -377,6 +400,14 @@ +@@ -377,6 +401,14 @@ ') optional_policy(` @@ -7632,7 +7644,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups cron_system_entry(cupsd_config_t, cupsd_config_exec_t) ') -@@ -393,6 +424,7 @@ +@@ -393,6 +425,7 @@ optional_policy(` hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) @@ -7640,7 +7652,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ') optional_policy(` -@@ -482,6 +514,8 @@ +@@ -482,6 +515,8 @@ files_read_etc_files(cupsd_lpd_t) @@ -7649,7 +7661,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups libs_use_ld_so(cupsd_lpd_t) libs_use_shared_libs(cupsd_lpd_t) -@@ -489,22 +523,12 @@ +@@ -489,22 +524,12 @@ miscfiles_read_localization(cupsd_lpd_t) @@ -7672,7 +7684,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ######################################## # # HPLIP local policy -@@ -525,11 +549,9 @@ +@@ -525,11 +550,9 @@ allow hplip_t cupsd_etc_t:dir search; cups_stream_connect(hplip_t) @@ -7687,7 +7699,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t) files_pid_filetrans(hplip_t,hplip_var_run_t,file) -@@ -560,7 +582,9 @@ +@@ -560,7 +583,9 @@ dev_read_urand(hplip_t) dev_read_rand(hplip_t) dev_rw_generic_usb_dev(hplip_t) @@ -7698,7 +7710,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups fs_getattr_all_fs(hplip_t) fs_search_auto_mountpoints(hplip_t) -@@ -587,8 +611,6 @@ +@@ -587,8 +612,6 @@ userdom_dontaudit_search_sysadm_home_dirs(hplip_t) userdom_dontaudit_search_all_users_home_content(hplip_t) @@ -7707,7 +7719,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups optional_policy(` seutil_sigchld_newrole(hplip_t) ') -@@ -668,3 +690,15 @@ +@@ -668,3 +691,15 @@ optional_policy(` udev_read_db(ptal_t) ') @@ -18444,7 +18456,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo /tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-11-20 17:17:41.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-11-20 17:23:44.000000000 -0500 @@ -29,8 +29,9 @@ ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 0645a15..d1d2f70 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.0.8 -Release: 59%{?dist} +Release: 60%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -303,7 +303,7 @@ fi exit 0 -%triggerpostun targeted -- selinux-policy-targeted < 3.0.8-44-1 +%triggerpostun targeted -- selinux-policy-targeted =< 3.0.8-59-1 semanage user -m -r s0-s0:c0.c1023 unconfined_u 2> /dev/null exit 0 @@ -380,6 +380,13 @@ exit 0 %endif %changelog +* Wed Nov 20 2007 Dan Walsh 3.0.8-60 +- Allow cupsd to sigkill hplip_t +- Allow automount to create fifo files +- Allow xguest to mount hal devices and read/write file systems +- that do not support extended attributes. Allows kiosk users to +- copy to usb media + * Tue Nov 20 2007 Dan Walsh 3.0.8-59 - Allow logwatch to search all directories - Allow sendmail to use sasl