From 6c319e4011da25c0509a96abfc248d8fedbd3a00 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Sep 22 2007 12:15:13 +0000 Subject: - Fix service start stop terminal avc's --- diff --git a/policy-20070703.patch b/policy-20070703.patch index 053cbaf..2dd68b3 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -312,6 +312,49 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc /usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0) +/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0) +/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if serefpolicy-3.0.8/policy/modules/admin/alsa.if +--- nsaserefpolicy/policy/modules/admin/alsa.if 2007-05-29 14:10:59.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/admin/alsa.if 2007-09-22 06:43:02.000000000 -0400 +@@ -74,3 +74,39 @@ + read_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t) + read_lnk_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t) + ') ++ ++######################################## ++## ++## search alsa lib config files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`alsa_search_lib',` ++ gen_require(` ++ type alsa_var_lib_t; ++ ') ++ ++ allow $1 alsa_var_lib_t:dir search_dir_perms; ++') ++ ++######################################## ++## ++## Read alsa lib config files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`alsa_read_lib',` ++ gen_require(` ++ type alsa_var_lib_t; ++ ') ++ ++ read_files_pattern($1,alsa_var_lib_t,alsa_var_lib_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.0.8/policy/modules/admin/alsa.te --- nsaserefpolicy/policy/modules/admin/alsa.te 2007-07-25 10:37:43.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/admin/alsa.te 2007-09-21 19:08:24.000000000 -0400 @@ -2429,7 +2472,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.0.8/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-09-12 10:34:49.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2007-09-21 14:29:01.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2007-09-22 08:10:42.000000000 -0400 @@ -20,6 +20,7 @@ /dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0) /dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0) @@ -2442,10 +2485,58 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/input/event.* -c gen_context(system_u:object_r:event_device_t,s0) /dev/input/mice -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/input/js.* -c gen_context(system_u:object_r:mouse_device_t,s0) -+/dev/input/uimput -c gen_context(system_u:object_r:scanner_device_t,s0) ++/dev/input/uinput -c gen_context(system_u:object_r:event_device_t,s0) /dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.0.8/policy/modules/kernel/devices.if +--- nsaserefpolicy/policy/modules/kernel/devices.if 2007-06-15 14:54:30.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/kernel/devices.if 2007-09-22 08:11:28.000000000 -0400 +@@ -1306,6 +1306,44 @@ + + ######################################## + ## ++## Get the attributes of the event devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_getattr_event_dev',` ++ gen_require(` ++ type device_t, event_device_t; ++ ') ++ ++ allow $1 device_t:dir r_dir_perms; ++ allow $1 event_device_t:chr_file getattr; ++') ++ ++######################################## ++## ++## Set the attributes of the event devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_setattr_event_dev',` ++ gen_require(` ++ type device_t, event_device_t; ++ ') ++ ++ allow $1 device_t:dir r_dir_perms; ++ allow $1 event_device_t:chr_file setattr; ++') ++ ++######################################## ++## + ## Read input event devices (/dev/input). + ## + ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.0.8/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2007-06-19 16:23:34.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/kernel/domain.if 2007-09-17 16:20:18.000000000 -0400 @@ -3730,7 +3821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.8/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2007-08-22 07:14:07.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/apache.te 2007-09-17 16:20:18.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/apache.te 2007-09-22 07:26:32.000000000 -0400 @@ -20,6 +20,8 @@ # Declarations # @@ -6290,7 +6381,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb +/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.0.8/policy/modules/services/kerberos.if --- nsaserefpolicy/policy/modules/services/kerberos.if 2007-07-03 07:06:27.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/kerberos.if 2007-09-17 16:20:18.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/kerberos.if 2007-09-22 07:42:39.000000000 -0400 @@ -42,6 +42,10 @@ dontaudit $1 krb5_conf_t:file write; dontaudit $1 krb5kdc_conf_t:dir list_dir_perms; @@ -6302,7 +6393,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb tunable_policy(`allow_kerberos',` allow $1 self:tcp_socket create_socket_perms; -@@ -172,3 +176,25 @@ +@@ -172,3 +176,26 @@ allow $1 krb5kdc_conf_t:file read_file_perms; ') @@ -6325,6 +6416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb + + files_search_tmp($1) + allow $1 self:process setfscreate; ++ selinux_validate_context($1) + seutil_read_file_contexts($1) + allow $1 krb5_host_rcache_t:file manage_file_perms; +') @@ -6977,6 +7069,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi ######################################## # +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.0.8/policy/modules/services/networkmanager.fc +--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2007-09-12 10:34:50.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/networkmanager.fc 2007-09-22 07:16:25.000000000 -0400 +@@ -5,3 +5,4 @@ + /var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) + /var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) + /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) ++/var/log/wpa_supplicant.log -- gen_context(system_u:object_r:NetworkManager_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.0.8/policy/modules/services/networkmanager.if --- nsaserefpolicy/policy/modules/services/networkmanager.if 2007-06-15 14:54:33.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/networkmanager.if 2007-09-20 08:50:57.000000000 -0400 @@ -7007,8 +7107,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.0.8/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-09-12 10:34:50.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/networkmanager.te 2007-09-20 08:50:29.000000000 -0400 -@@ -20,7 +20,7 @@ ++++ serefpolicy-3.0.8/policy/modules/services/networkmanager.te 2007-09-22 07:14:54.000000000 -0400 +@@ -13,6 +13,9 @@ + type NetworkManager_var_run_t; + files_pid_file(NetworkManager_var_run_t) + ++type NetworkManager_log_t; ++files_pid_file(NetworkManager_log_t) ++ + ######################################## + # + # Local policy +@@ -20,7 +23,7 @@ # networkmanager will ptrace itself if gdb is installed # and it receives a unexpected signal (rh bug #204161) @@ -7017,7 +7127,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace }; allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms }; allow NetworkManager_t self:fifo_file rw_fifo_file_perms; -@@ -138,6 +138,9 @@ +@@ -38,6 +41,9 @@ + manage_sock_files_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t) + files_pid_filetrans(NetworkManager_t,NetworkManager_var_run_t, { dir file sock_file }) + ++manage_files_pattern(NetworkManager_t,NetworkManager_log_t,NetworkManager_log_t) ++logging_log_filetrans(NetworkManager_t,NetworkManager_log_t, file) ++ + kernel_read_system_state(NetworkManager_t) + kernel_read_network_state(NetworkManager_t) + kernel_read_kernel_sysctls(NetworkManager_t) +@@ -138,6 +144,9 @@ dbus_system_bus_client_template(NetworkManager,NetworkManager_t) dbus_connect_system_bus(NetworkManager_t) dbus_send_system_bus(NetworkManager_t) @@ -7027,7 +7147,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ') optional_policy(` -@@ -173,8 +176,10 @@ +@@ -173,8 +182,10 @@ ') optional_policy(` @@ -8015,7 +8135,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.0.8/policy/modules/services/rlogin.te --- nsaserefpolicy/policy/modules/services/rlogin.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/rlogin.te 2007-09-17 16:20:18.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/rlogin.te 2007-09-22 07:43:42.000000000 -0400 @@ -64,9 +64,10 @@ fs_getattr_xattr_fs(rlogind_t) fs_search_auto_mountpoints(rlogind_t) @@ -8028,25 +8148,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlog files_read_etc_files(rlogind_t) files_read_etc_runtime_files(rlogind_t) -@@ -82,7 +83,7 @@ +@@ -82,21 +83,17 @@ miscfiles_read_localization(rlogind_t) -seutil_dontaudit_search_config(rlogind_t) +- +-sysnet_read_config(rlogind_t) +seutil_read_config(rlogind_t) - sysnet_read_config(rlogind_t) + userdom_setattr_unpriv_users_ptys(rlogind_t) + # cjp: this is egregious + userdom_read_all_users_home_content_files(rlogind_t) -@@ -93,7 +94,9 @@ remotelogin_domtrans(rlogind_t) ++remotelogin_signal(rlogind_t) optional_policy(` + kerberos_use(rlogind_t) kerberos_read_keytab(rlogind_t) +-') +- +-ifdef(`TODO',` +-# Allow krb5 rlogind to use fork and open /dev/tty for use +-allow rlogind_t userpty_type:chr_file setattr; + kerberos_manage_host_rcache(rlogind_t) ') - - ifdef(`TODO',` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.0.8/policy/modules/services/rpcbind.te --- nsaserefpolicy/policy/modules/services/rpcbind.te 2007-07-03 07:06:27.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/rpcbind.te 2007-09-17 16:20:18.000000000 -0400 @@ -8920,7 +9047,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.0.8/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2007-09-12 10:34:50.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/sendmail.te 2007-09-17 16:20:18.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/sendmail.te 2007-09-22 07:08:31.000000000 -0400 @@ -20,19 +20,22 @@ mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) @@ -9460,7 +9587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.0.8/policy/modules/services/telnet.te --- nsaserefpolicy/policy/modules/services/telnet.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/telnet.te 2007-09-17 16:20:18.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/telnet.te 2007-09-22 07:45:00.000000000 -0400 @@ -32,7 +32,6 @@ allow telnetd_t self:udp_socket create_socket_perms; # for identd; cjp: this should probably only be inetd_child rules? @@ -9482,7 +9609,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/teln files_read_etc_files(telnetd_t) files_read_etc_runtime_files(telnetd_t) # for identd; cjp: this should probably only be inetd_child rules? -@@ -80,9 +81,7 @@ +@@ -80,27 +81,26 @@ miscfiles_read_localization(telnetd_t) @@ -9493,7 +9620,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/teln remotelogin_domtrans(telnetd_t) -@@ -90,17 +89,16 @@ ++userdom_search_unpriv_users_home_dirs(telnetd_t) ++ + # for identd; cjp: this should probably only be inetd_child rules? optional_policy(` kerberos_use(telnetd_t) kerberos_read_keytab(telnetd_t) @@ -10565,7 +10694,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.0.8/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2007-08-22 07:14:12.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/authlogin.te 2007-09-21 16:37:58.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/authlogin.te 2007-09-22 08:12:19.000000000 -0400 @@ -9,6 +9,13 @@ attribute can_read_shadow_passwords; attribute can_write_shadow_passwords; @@ -10601,7 +10730,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ######################################## # # PAM local policy -@@ -159,6 +173,8 @@ +@@ -149,6 +163,8 @@ + dev_setattr_apm_bios_dev(pam_console_t) + dev_getattr_dri_dev(pam_console_t) + dev_setattr_dri_dev(pam_console_t) ++dev_getattr_event_dev(pam_console_t) ++dev_setattr_event_dev(pam_console_t) + dev_getattr_framebuffer_dev(pam_console_t) + dev_setattr_framebuffer_dev(pam_console_t) + dev_getattr_generic_usb_dev(pam_console_t) +@@ -159,6 +175,8 @@ dev_setattr_mouse_dev(pam_console_t) dev_getattr_power_mgmt_dev(pam_console_t) dev_setattr_power_mgmt_dev(pam_console_t) @@ -10610,7 +10748,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo dev_getattr_scanner_dev(pam_console_t) dev_setattr_scanner_dev(pam_console_t) dev_getattr_sound_dev(pam_console_t) -@@ -236,7 +252,7 @@ +@@ -236,7 +254,7 @@ optional_policy(` xserver_read_xdm_pid(pam_console_t) @@ -10619,7 +10757,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ######################################## -@@ -302,3 +318,28 @@ +@@ -302,3 +320,28 @@ xserver_use_xdm_fds(utempter_t) xserver_rw_xdm_pipes(utempter_t) ') @@ -10829,8 +10967,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostna +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.0.8/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2007-08-22 07:14:12.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/init.if 2007-09-17 16:20:18.000000000 -0400 -@@ -540,18 +540,19 @@ ++++ serefpolicy-3.0.8/policy/modules/system/init.if 2007-09-22 07:07:39.000000000 -0400 +@@ -211,6 +211,13 @@ + kernel_dontaudit_use_fds($1) + ') + ') ++ tunable_policy(`allow_daemons_use_tty',` ++ term_use_all_user_ttys($1) ++ term_use_all_user_ptys($1) ++ ', ` ++ term_dontaudit_use_all_user_ttys($1) ++ term_dontaudit_use_all_user_ptys($1) ++ ') + ') + + ######################################## +@@ -540,18 +547,19 @@ # interface(`init_spec_domtrans_script',` gen_require(` @@ -10854,7 +11006,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ') -@@ -567,18 +568,46 @@ +@@ -567,18 +575,46 @@ # interface(`init_domtrans_script',` gen_require(` @@ -10905,7 +11057,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ') -@@ -609,11 +638,11 @@ +@@ -609,11 +645,11 @@ # cjp: added for gentoo integrated run_init interface(`init_script_file_domtrans',` gen_require(` @@ -10919,7 +11071,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ######################################## -@@ -684,11 +713,11 @@ +@@ -684,11 +720,11 @@ # interface(`init_getattr_script_files',` gen_require(` @@ -10933,7 +11085,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ######################################## -@@ -703,11 +732,11 @@ +@@ -703,11 +739,11 @@ # interface(`init_exec_script_files',` gen_require(` @@ -10947,7 +11099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ######################################## -@@ -931,6 +960,7 @@ +@@ -931,6 +967,7 @@ dontaudit $1 initrc_t:unix_stream_socket connectto; ') @@ -10955,7 +11107,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ######################################## ## ## Send messages to init scripts over dbus. -@@ -1030,11 +1060,11 @@ +@@ -1030,11 +1067,11 @@ # interface(`init_read_script_files',` gen_require(` @@ -10969,7 +11121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ######################################## -@@ -1252,7 +1282,7 @@ +@@ -1252,7 +1289,7 @@ type initrc_var_run_t; ') @@ -10978,7 +11130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ######################################## -@@ -1273,3 +1303,64 @@ +@@ -1273,3 +1310,64 @@ files_search_pids($1) allow $1 initrc_var_run_t:file manage_file_perms; ') @@ -11045,7 +11197,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.0.8/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2007-09-12 10:34:51.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/init.te 2007-09-18 11:07:20.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/init.te 2007-09-22 07:06:37.000000000 -0400 @@ -10,6 +10,20 @@ # Declarations # @@ -11140,7 +11292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t selinux_get_enforce_mode(initrc_t) -@@ -497,6 +515,39 @@ +@@ -497,6 +515,43 @@ ') optional_policy(` @@ -11152,9 +11304,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t +tunable_policy(`allow_daemons_use_tty',` + term_use_unallocated_ttys(daemon) + term_use_generic_ptys(daemon) ++ term_use_all_user_ttys(daemon) ++ term_use_all_user_ptys(daemon) +', ` + term_dontaudit_use_unallocated_ttys(daemon) + term_dontaudit_use_generic_ptys(daemon) ++ term_dontaudit_use_all_user_ttys(daemon) ++ term_dontaudit_use_all_user_ptys(daemon) + ') + +# system-config-services causes avc messages that should be dontaudited @@ -11180,7 +11336,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) ') -@@ -632,12 +683,6 @@ +@@ -632,12 +687,6 @@ mta_read_config(initrc_t) mta_dontaudit_read_spool_symlinks(initrc_t) ') @@ -11193,7 +11349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` ifdef(`distro_redhat',` -@@ -703,6 +748,9 @@ +@@ -703,6 +752,9 @@ # why is this needed: rpm_manage_db(initrc_t) @@ -12991,6 +13147,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet term_dontaudit_use_all_user_ttys(ifconfig_t) term_dontaudit_use_all_user_ptys(ifconfig_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.0.8/policy/modules/system/udev.te +--- nsaserefpolicy/policy/modules/system/udev.te 2007-09-12 10:34:51.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/udev.te 2007-09-22 06:43:22.000000000 -0400 +@@ -184,6 +184,10 @@ + ') + + optional_policy(` ++ alsa_search_lib(udev_t) ++') ++ ++optional_policy(` + brctl_domtrans(udev_t) + ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.0.8/policy/modules/system/unconfined.fc --- nsaserefpolicy/policy/modules/system/unconfined.fc 2007-05-29 14:10:58.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/system/unconfined.fc 2007-09-21 06:46:14.000000000 -0400 diff --git a/selinux-policy.spec b/selinux-policy.spec index 31e3fc7..168d82a 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.0.8 -Release: 8%{?dist} +Release: 9%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -362,6 +362,9 @@ exit 0 %endif %changelog +* Sat Sep 22 2007 Dan Walsh 3.0.8-9 +- Fix service start stop terminal avc's + * Fri Sep 21 2007 Dan Walsh 3.0.8-8 - Allow also to search var_lib - New context for dbus launcher