From 63349a58b8707e1a2b286c620f4aeda64d435f22 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Sep 21 2010 14:16:10 +0000 Subject: - Allow boinc projects to execute java --- diff --git a/policy-F13.patch b/policy-F13.patch index ec44540..e1eee2c 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -544,7 +544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.7.19/policy/modules/admin/logrotate.te --- nsaserefpolicy/policy/modules/admin/logrotate.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/admin/logrotate.te 2010-09-16 15:32:06.757637046 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/logrotate.te 2010-09-21 15:36:04.691635808 +0200 @@ -32,7 +32,7 @@ # Change ownership on log files. allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice }; @@ -570,7 +570,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota # cjp: why is this needed? logging_exec_all_logs(logrotate_t) -@@ -116,8 +118,9 @@ +@@ -116,16 +118,22 @@ seutil_dontaudit_read_config(logrotate_t) userdom_use_user_terminals(logrotate_t) @@ -581,8 +581,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota cron_system_entry(logrotate_t, logrotate_exec_t) cron_search_spool(logrotate_t) -@@ -125,7 +128,7 @@ - mta_send_mail(logrotate_t) + +-mta_send_mail(logrotate_t) ++#mta_send_mail(logrotate_t) ++mta_base_mail_template(logrotate) ++mta_sendmail_domtrans(logrotate_t, logrotate_mail_t) ++role system_r types logrotate_mail_t; ++logging_read_all_logs(logrotate_mail_t) ++manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t) ifdef(`distro_debian', ` - allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto }; @@ -590,7 +596,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota # for savelog can_exec(logrotate_t, logrotate_exec_t) -@@ -137,6 +140,10 @@ +@@ -137,6 +145,10 @@ ') optional_policy(` @@ -601,7 +607,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota acct_domtrans(logrotate_t) acct_manage_data(logrotate_t) acct_exec_data(logrotate_t) -@@ -149,6 +156,14 @@ +@@ -149,6 +161,14 @@ ') optional_policy(` @@ -616,7 +622,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota consoletype_exec(logrotate_t) ') -@@ -157,11 +172,15 @@ +@@ -157,11 +177,15 @@ ') optional_policy(` @@ -633,7 +639,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota ') optional_policy(` -@@ -183,6 +202,19 @@ +@@ -183,6 +207,19 @@ ') optional_policy(` @@ -653,7 +659,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota slrnpull_manage_spool(logrotate_t) ') -@@ -191,5 +223,9 @@ +@@ -191,5 +228,9 @@ ') optional_policy(` @@ -16679,8 +16685,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.7.19/policy/modules/services/boinc.te --- nsaserefpolicy/policy/modules/services/boinc.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/boinc.te 2010-08-30 20:30:56.405084998 +0200 -@@ -0,0 +1,163 @@ ++++ serefpolicy-3.7.19/policy/modules/services/boinc.te 2010-09-21 15:44:46.945387235 +0200 +@@ -0,0 +1,176 @@ + +policy_module(boinc,1.0.0) + @@ -16711,6 +16717,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin +domain_type(boinc_project_t) +role system_r types boinc_project_t; + ++type boinc_project_tmp_t; ++files_tmp_file(boinc_tmp_t) ++ +type boinc_project_var_lib_t; +files_type(boinc_project_var_lib_t) + @@ -16810,6 +16819,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin +allow boinc_project_t self:shm create_shm_perms; +allow boinc_project_t self:sem create_sem_perms; + ++manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t) ++manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t) ++files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file }) ++ +allow boinc_project_t boinc_project_var_lib_t:file entrypoint; +exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t) +manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t) @@ -16835,7 +16848,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin + +corenet_tcp_connect_boinc_port(boinc_project_t) + ++dev_read_rand(boinc_project_t) +dev_read_urand(boinc_project_t) ++dev_read_sysfs(boinc_project_t) +dev_rw_xserver_misc(boinc_project_t) + +files_read_etc_files(boinc_project_t) @@ -16843,7 +16858,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin +auth_use_nsswitch(boinc_project_t) + +miscfiles_read_localization(boinc_project_t) ++miscfiles_read_fonts(boinc_project_t) + ++optional_policy(` ++ java_exec(boinc_project_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugzilla.fc serefpolicy-3.7.19/policy/modules/services/bugzilla.fc --- nsaserefpolicy/policy/modules/services/bugzilla.fc 1970-01-01 01:00:00.000000000 +0100 +++ serefpolicy-3.7.19/policy/modules/services/bugzilla.fc 2010-05-28 09:42:00.069610831 +0200 diff --git a/selinux-policy.spec b/selinux-policy.spec index d50c9b2..edd6db2 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.19 -Release: 59%{?dist} +Release: 60%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,9 @@ exit 0 %endif %changelog +* Tue Sep 21 2010 Miroslav Grepl 3.7.19-60 +- Allow boinc projects to execute java + * Wed Sep 16 2010 Miroslav Grepl 3.7.19-59 - Add cluster_var_lib_t type and label for /var/lib/cluster