From 6cf32a1e8bd25dc91c2de1f8f49095e5cbccbf69 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jan 21 2009 21:22:11 +0000 Subject: - Add wm policy - Make mls work in graphics mode --- diff --git a/policy-20090105.patch b/policy-20090105.patch index df9c30f..49fb286 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -22565,7 +22565,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.3/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-01-21 14:02:11.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-01-21 16:14:47.000000000 -0500 @@ -34,6 +34,13 @@ ## @@ -23034,7 +23034,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) -@@ -697,8 +817,12 @@ +@@ -697,8 +817,13 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -23043,11 +23043,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mls_xwin_read_to_clearance(xserver_t) +mls_process_write_to_clearance(xserver_t) -+mls_file_write_to_clearance(xserver_t) ++mls_file_read_to_clearance(xserver_t) ++mls_file_write_all_levels(xserver_t) selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -720,6 +844,7 @@ +@@ -720,6 +845,7 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -23055,7 +23056,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol modutils_domtrans_insmod(xserver_t) -@@ -774,6 +899,10 @@ +@@ -774,6 +900,10 @@ ') optional_policy(` @@ -23066,7 +23067,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rhgb_getpgid(xserver_t) rhgb_signal(xserver_t) ') -@@ -806,7 +935,7 @@ +@@ -806,7 +936,7 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -23075,7 +23076,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -830,6 +959,10 @@ +@@ -830,6 +960,10 @@ xserver_use_user_fonts(xserver_t) @@ -23086,7 +23087,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -844,11 +977,14 @@ +@@ -844,11 +978,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -23102,7 +23103,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -856,6 +992,11 @@ +@@ -856,6 +993,11 @@ rhgb_rw_tmpfs_files(xserver_t) ') @@ -23114,7 +23115,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Rules common to all X window domains -@@ -972,6 +1113,37 @@ +@@ -972,6 +1114,37 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -23152,7 +23153,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`TODO',` tunable_policy(`allow_polyinstantiation',` # xdm needs access for linking .X11-unix to poly /tmp -@@ -986,3 +1158,13 @@ +@@ -986,3 +1159,13 @@ # allow xdm_t user_home_type:file unlink; ') dnl end TODO @@ -23783,7 +23784,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.3/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/system/init.if 2009-01-20 14:42:59.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/system/init.if 2009-01-21 16:19:55.000000000 -0500 @@ -280,6 +280,27 @@ kernel_dontaudit_use_fds($1) ') @@ -23812,6 +23813,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## +@@ -546,7 +567,7 @@ + + # upstart uses a datagram socket instead of initctl pipe + allow $1 self:unix_dgram_socket create_socket_perms; +- allow $1 init_t:unix_dgram_socket sendto; ++ init_chat($1) + ') + ') + @@ -619,18 +640,19 @@ # interface(`init_spec_domtrans_script',` @@ -27350,7 +27360,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.3/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/system/userdomain.if 2009-01-21 15:37:07.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/system/userdomain.if 2009-01-21 16:19:30.000000000 -0500 @@ -30,8 +30,9 @@ ') diff --git a/selinux-policy.spec b/selinux-policy.spec index b9945c5..9ea2280 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.3 -Release: 4%{?dist} +Release: 5%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -445,8 +445,9 @@ exit 0 %endif %changelog -* Wed Jan 21 2009 Dan Walsh 3.6.3-4 +* Wed Jan 21 2009 Dan Walsh 3.6.3-5 - Add wm policy +- Make mls work in graphics mode * Tue Jan 20 2009 Dan Walsh 3.6.3-3 - Fixed for DeviceKit