From 7c1c1729f912f1e05d7f7aa2b651243a00cf8995 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Sep 26 2007 22:01:27 +0000 Subject: - Allow xdm to talk to input device (fingerprint reader) - Allow octave to run as java --- diff --git a/policy-20070703.patch b/policy-20070703.patch index 0f5e2fa..2852a78 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -314,7 +314,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc +/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if serefpolicy-3.0.8/policy/modules/admin/alsa.if --- nsaserefpolicy/policy/modules/admin/alsa.if 2007-05-29 14:10:59.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/admin/alsa.if 2007-09-22 06:43:02.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/admin/alsa.if 2007-09-25 15:03:17.000000000 -0400 @@ -74,3 +74,39 @@ read_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t) read_lnk_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t) @@ -1508,7 +1508,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te application_executable_file(gconfd_exec_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.0.8/policy/modules/apps/java.fc --- nsaserefpolicy/policy/modules/apps/java.fc 2007-05-29 14:10:48.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/apps/java.fc 2007-09-20 18:08:22.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/apps/java.fc 2007-09-25 17:13:09.000000000 -0400 @@ -11,6 +11,7 @@ # /usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0) @@ -1528,7 +1528,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc +/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) + +/usr/lib(64)?/openoffice\.org/program/soffice\.bin -- gen_context(system_u:object_r:java_exec_t,s0) -+ ++/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.0.8/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2007-08-02 08:17:26.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/apps/java.if 2007-09-20 18:26:14.000000000 -0400 @@ -2565,7 +2565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.0.8/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2007-06-19 16:23:34.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/domain.if 2007-09-17 16:20:18.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/kernel/domain.if 2007-09-25 12:10:32.000000000 -0400 @@ -45,6 +45,11 @@ # start with basic domain domain_base_type($1) @@ -5117,7 +5117,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.0.8/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2007-09-12 10:34:50.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/cups.te 2007-09-24 14:34:13.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/cups.te 2007-09-25 15:01:58.000000000 -0400 @@ -48,9 +48,7 @@ type hplip_t; type hplip_exec_t; @@ -5280,15 +5280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups seutil_sigchld_newrole(cupsd_t) ') -@@ -331,6 +355,7 @@ - dev_read_sysfs(cupsd_config_t) - dev_read_urand(cupsd_config_t) - dev_read_rand(cupsd_config_t) -+dev_rw_generic_usb_dev(cupsd_config_t) - - fs_getattr_all_fs(cupsd_config_t) - fs_search_auto_mountpoints(cupsd_config_t) -@@ -377,6 +402,14 @@ +@@ -377,6 +401,14 @@ ') optional_policy(` @@ -5303,19 +5295,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups cron_system_entry(cupsd_config_t, cupsd_config_exec_t) ') -@@ -526,11 +559,6 @@ +@@ -525,11 +557,9 @@ + allow hplip_t cupsd_etc_t:dir search; cups_stream_connect(hplip_t) - +- -allow hplip_t hplip_etc_t:dir list_dir_perms; -read_files_pattern(hplip_t,hplip_etc_t,hplip_etc_t) -read_lnk_files_pattern(hplip_t,hplip_etc_t,hplip_etc_t) -files_search_etc(hplip_t) -- ++# For CUPS to run as a backend ++allow cupsd_t hplip_t:process signal; ++allow hplip_t cupsd_t:unix_stream_socket connected_stream_socket_perms; + manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t) files_pid_filetrans(hplip_t,hplip_var_run_t,file) - -@@ -560,7 +588,7 @@ +@@ -560,7 +590,7 @@ dev_read_urand(hplip_t) dev_read_rand(hplip_t) dev_rw_generic_usb_dev(hplip_t) @@ -5324,7 +5319,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups fs_getattr_all_fs(hplip_t) fs_search_auto_mountpoints(hplip_t) -@@ -587,8 +615,6 @@ +@@ -587,8 +617,6 @@ userdom_dontaudit_search_sysadm_home_dirs(hplip_t) userdom_dontaudit_search_all_users_home_content(hplip_t) @@ -6465,7 +6460,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb +/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.0.8/policy/modules/services/kerberos.if --- nsaserefpolicy/policy/modules/services/kerberos.if 2007-07-03 07:06:27.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/kerberos.if 2007-09-25 11:00:13.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/kerberos.if 2007-09-25 13:08:41.000000000 -0400 @@ -42,6 +42,10 @@ dontaudit $1 krb5_conf_t:file write; dontaudit $1 krb5kdc_conf_t:dir list_dir_perms; @@ -6477,7 +6472,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb tunable_policy(`allow_kerberos',` allow $1 self:tcp_socket create_socket_perms; -@@ -172,3 +176,47 @@ +@@ -172,3 +176,51 @@ allow $1 krb5kdc_conf_t:file read_file_perms; ') @@ -6498,11 +6493,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb + type krb5_host_rcache_t; + ') + -+ files_search_tmp($1) -+ allow $1 self:process setfscreate; -+ selinux_validate_context($1) -+ seutil_read_file_contexts($1) -+ allow $1 krb5_host_rcache_t:file manage_file_perms; ++ tunable_policy(`allow_kerberos',` ++ files_search_tmp($1) ++ allow $1 self:process setfscreate; ++ selinux_validate_context($1) ++ seutil_read_file_contexts($1) ++ allow $1 krb5_host_rcache_t:file manage_file_perms; ++ ') ++ # creates files as system_u no matter what the selinux user ++ domain_obj_id_change_exemption($1) +') + +######################################## @@ -7649,7 +7648,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post /usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.0.8/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2007-07-03 07:06:27.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/postfix.if 2007-09-17 16:20:18.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/postfix.if 2007-09-26 10:26:56.000000000 -0400 @@ -41,6 +41,8 @@ allow postfix_$1_t self:unix_stream_socket connectto; @@ -7659,7 +7658,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post allow postfix_$1_t postfix_etc_t:dir list_dir_perms; read_files_pattern(postfix_$1_t,postfix_etc_t,postfix_etc_t) -@@ -66,6 +68,7 @@ +@@ -56,6 +58,8 @@ + allow postfix_$1_t postfix_var_run_t:file manage_file_perms; + files_pid_filetrans(postfix_$1_t,postfix_var_run_t,file) + ++ auth_use_nsswitch(postfix_$1_t) ++ + kernel_read_system_state(postfix_$1_t) + kernel_read_network_state(postfix_$1_t) + kernel_read_all_sysctls(postfix_$1_t) +@@ -66,6 +70,7 @@ fs_search_auto_mountpoints(postfix_$1_t) fs_getattr_xattr_fs(postfix_$1_t) @@ -7667,19 +7675,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post term_dontaudit_use_console(postfix_$1_t) -@@ -132,10 +135,8 @@ +@@ -132,11 +137,6 @@ corenet_tcp_connect_all_ports(postfix_$1_t) corenet_sendrecv_all_client_packets(postfix_$1_t) - sysnet_read_config(postfix_$1_t) - - optional_policy(` +- optional_policy(` - nis_use_ypbind(postfix_$1_t) -+ auth_use_nsswitch(postfix_$1_t) - ') +- ') ') -@@ -269,6 +270,42 @@ + ######################################## +@@ -269,6 +269,42 @@ ######################################## ## @@ -7722,7 +7730,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ## Do not audit attempts to use ## postfix master process file ## file descriptors. -@@ -434,6 +471,25 @@ +@@ -434,6 +470,25 @@ ######################################## ## @@ -7748,7 +7756,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ## Execute postfix user mail programs ## in their respective domains. ## -@@ -450,3 +506,22 @@ +@@ -450,3 +505,22 @@ typeattribute $1 postfix_user_domtrans; ') @@ -7773,7 +7781,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.0.8/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/postfix.te 2007-09-25 10:06:53.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/postfix.te 2007-09-26 10:27:53.000000000 -0400 @@ -6,6 +6,14 @@ # Declarations # @@ -7813,37 +7821,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## # # Postfix master process local policy -@@ -168,6 +186,11 @@ +@@ -164,10 +182,9 @@ + # postfix does a "find" on startup for some reason - keep it quiet + seutil_dontaudit_search_config(postfix_master_t) +-sysnet_read_config(postfix_master_t) +- mta_rw_aliases(postfix_master_t) mta_read_sendmail_bin(postfix_master_t) +term_dontaudit_search_ptys(postfix_master_t) -+ -+optional_policy(` -+ auth_use_nsswitch(postfix_master_t) -+') optional_policy(` cyrus_stream_connect(postfix_master_t) -@@ -179,9 +202,17 @@ +@@ -179,7 +196,11 @@ ') optional_policy(` +- nis_use_ypbind(postfix_master_t) + mysql_stream_connect(postfix_master_t) +') + +optional_policy(` - nis_use_ypbind(postfix_master_t) ++ sendmail_signal(postfix_master_t) ') -+optional_policy(` -+ sendmail_signal(postfix_master_t) -+') -+ ########################################################### - # - # Partially converted rules. THESE ARE ONLY TEMPORARY -@@ -263,6 +294,8 @@ +@@ -263,6 +284,8 @@ files_read_etc_files(postfix_local_t) @@ -7852,7 +7855,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post mta_read_aliases(postfix_local_t) mta_delete_spool(postfix_local_t) # For reading spamassasin -@@ -377,7 +410,7 @@ +@@ -336,8 +359,6 @@ + + seutil_read_config(postfix_map_t) + +-sysnet_read_config(postfix_map_t) +- + tunable_policy(`read_default_t',` + files_list_default(postfix_map_t) + files_read_default_files(postfix_map_t) +@@ -377,7 +398,7 @@ # Postfix pipe local policy # @@ -7861,7 +7873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post write_sock_files_pattern(postfix_pipe_t,postfix_private_t,postfix_private_t) -@@ -386,6 +419,10 @@ +@@ -386,6 +407,10 @@ rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t) optional_policy(` @@ -7872,7 +7884,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post procmail_domtrans(postfix_pipe_t) ') -@@ -426,6 +463,11 @@ +@@ -418,14 +443,17 @@ + term_dontaudit_use_all_user_ptys(postfix_postdrop_t) + term_dontaudit_use_all_user_ttys(postfix_postdrop_t) + +-sysnet_dns_name_resolve(postfix_postdrop_t) +- + mta_rw_user_mail_stream_sockets(postfix_postdrop_t) + + optional_policy(` cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t) ') @@ -7884,7 +7904,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post optional_policy(` ppp_use_fds(postfix_postqueue_t) ppp_sigchld(postfix_postqueue_t) -@@ -505,8 +547,6 @@ +@@ -454,8 +482,6 @@ + init_sigchld_script(postfix_postqueue_t) + init_use_script_fds(postfix_postqueue_t) + +-sysnet_dontaudit_read_config(postfix_postqueue_t) +- + ######################################## + # + # Postfix qmgr local policy +@@ -498,15 +524,11 @@ + term_use_all_user_ptys(postfix_showq_t) + term_use_all_user_ttys(postfix_showq_t) + +-sysnet_dns_name_resolve(postfix_showq_t) +- + ######################################## + # # Postfix smtp delivery local policy # @@ -7893,7 +7929,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post # connect to master process stream_connect_pattern(postfix_smtp_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t) -@@ -514,6 +554,8 @@ +@@ -514,6 +536,8 @@ allow postfix_smtp_t postfix_spool_t:file rw_file_perms; @@ -7902,7 +7938,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post optional_policy(` cyrus_stream_connect(postfix_smtp_t) ') -@@ -538,9 +580,45 @@ +@@ -538,9 +562,45 @@ mta_read_aliases(postfix_smtpd_t) optional_policy(` @@ -8265,8 +8301,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.0.8/policy/modules/services/rlogin.te --- nsaserefpolicy/policy/modules/services/rlogin.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/rlogin.te 2007-09-22 07:43:42.000000000 -0400 -@@ -64,9 +64,10 @@ ++++ serefpolicy-3.0.8/policy/modules/services/rlogin.te 2007-09-25 11:50:50.000000000 -0400 +@@ -36,6 +36,8 @@ + allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr }; + term_create_pty(rlogind_t,rlogind_devpts_t) + ++domain_interactive_fd(rlogind_t) ++ + # for /usr/lib/telnetlogin + can_exec(rlogind_t, rlogind_exec_t) + +@@ -64,9 +66,10 @@ fs_getattr_xattr_fs(rlogind_t) fs_search_auto_mountpoints(rlogind_t) @@ -8278,7 +8323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlog files_read_etc_files(rlogind_t) files_read_etc_runtime_files(rlogind_t) -@@ -82,21 +83,17 @@ +@@ -82,21 +85,17 @@ miscfiles_read_localization(rlogind_t) @@ -8702,7 +8747,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.0.8/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/samba.te 2007-09-17 16:20:18.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/samba.te 2007-09-25 17:09:36.000000000 -0400 @@ -137,6 +137,11 @@ type winbind_var_run_t; files_pid_file(winbind_var_run_t) @@ -9302,7 +9347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.0.8/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2007-09-12 10:34:50.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/setroubleshoot.te 2007-09-17 16:20:18.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/setroubleshoot.te 2007-09-26 11:12:03.000000000 -0400 @@ -67,6 +67,7 @@ corenet_sendrecv_smtp_client_packets(setroubleshootd_t) @@ -9618,7 +9663,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.0.8/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/ssh.if 2007-09-17 16:20:18.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/ssh.if 2007-09-25 12:18:11.000000000 -0400 @@ -202,6 +202,7 @@ # template(`ssh_per_role_template',` @@ -9743,8 +9788,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.0.8/policy/modules/services/telnet.te --- nsaserefpolicy/policy/modules/services/telnet.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/telnet.te 2007-09-22 07:45:00.000000000 -0400 -@@ -32,7 +32,6 @@ ++++ serefpolicy-3.0.8/policy/modules/services/telnet.te 2007-09-25 11:50:42.000000000 -0400 +@@ -32,12 +32,13 @@ allow telnetd_t self:udp_socket create_socket_perms; # for identd; cjp: this should probably only be inetd_child rules? allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; @@ -9752,7 +9797,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/teln allow telnetd_t self:capability { setuid setgid }; allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr }; -@@ -62,10 +61,12 @@ + term_create_pty(telnetd_t,telnetd_devpts_t) + ++domain_interactive_fd(telnetd_t) ++ + manage_dirs_pattern(telnetd_t,telnetd_tmp_t,telnetd_tmp_t) + manage_files_pattern(telnetd_t,telnetd_tmp_t,telnetd_tmp_t) + files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir }) +@@ -62,10 +63,12 @@ fs_getattr_xattr_fs(telnetd_t) @@ -9765,7 +9817,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/teln files_read_etc_files(telnetd_t) files_read_etc_runtime_files(telnetd_t) # for identd; cjp: this should probably only be inetd_child rules? -@@ -80,27 +81,26 @@ +@@ -80,27 +83,26 @@ miscfiles_read_localization(telnetd_t) @@ -10272,7 +10324,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2007-08-22 07:14:07.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-09-21 19:21:31.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-09-26 09:40:50.000000000 -0400 @@ -16,6 +16,13 @@ ## @@ -10317,7 +10369,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser corenet_tcp_connect_all_ports(xdm_t) corenet_sendrecv_all_client_packets(xdm_t) # xdm tries to bind to biff_port_t -@@ -246,6 +259,7 @@ +@@ -197,6 +210,7 @@ + dev_getattr_mouse_dev(xdm_t) + dev_setattr_mouse_dev(xdm_t) + dev_rw_apm_bios(xdm_t) ++dev_rw_input_dev(xdm_t) + dev_setattr_apm_bios_dev(xdm_t) + dev_rw_dri(xdm_t) + dev_rw_agp(xdm_t) +@@ -246,6 +260,7 @@ auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) @@ -10325,7 +10385,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -257,6 +271,7 @@ +@@ -257,6 +272,7 @@ libs_exec_lib_files(xdm_t) logging_read_generic_logs(xdm_t) @@ -10333,7 +10393,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser miscfiles_read_localization(xdm_t) miscfiles_read_fonts(xdm_t) -@@ -268,9 +283,14 @@ +@@ -268,9 +284,14 @@ userdom_create_all_users_keys(xdm_t) # for .dmrc userdom_read_unpriv_users_home_content_files(xdm_t) @@ -10348,7 +10408,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t) -@@ -306,6 +326,11 @@ +@@ -306,6 +327,11 @@ optional_policy(` consolekit_dbus_chat(xdm_t) @@ -10360,7 +10420,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -348,12 +373,8 @@ +@@ -348,12 +374,8 @@ ') optional_policy(` @@ -10374,7 +10434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; -@@ -385,7 +406,7 @@ +@@ -385,7 +407,7 @@ allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xdm_xserver_t xdm_var_lib_t:dir search; @@ -10383,7 +10443,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t) -@@ -425,6 +446,10 @@ +@@ -425,6 +447,10 @@ ') optional_policy(` @@ -10394,7 +10454,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser resmgr_stream_connect(xdm_t) ') -@@ -434,47 +459,20 @@ +@@ -434,47 +460,20 @@ ') optional_policy(` @@ -13472,12 +13532,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.0.8/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2007-09-12 10:34:51.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/udev.te 2007-09-22 06:43:22.000000000 -0400 -@@ -184,6 +184,10 @@ ++++ serefpolicy-3.0.8/policy/modules/system/udev.te 2007-09-25 15:03:25.000000000 -0400 +@@ -184,6 +184,11 @@ ') optional_policy(` + alsa_search_lib(udev_t) ++ alsa_read_lib(udev_t) +') + +optional_policy(` @@ -15559,7 +15620,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.0.8/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/xen.te 2007-09-17 16:20:18.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/xen.te 2007-09-25 15:21:46.000000000 -0400 @@ -45,9 +45,7 @@ type xenstored_t; @@ -15679,15 +15740,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te corenet_tcp_sendrecv_generic_if(xm_t) corenet_tcp_sendrecv_all_nodes(xm_t) -@@ -353,6 +355,7 @@ +@@ -351,8 +353,11 @@ + + storage_raw_read_fixed_disk(xm_t) ++fs_getattr_all_fs(xm_t) ++ term_use_all_terms(xm_t) +init_stream_connect_script(xm_t) init_rw_script_stream_sockets(xm_t) init_use_fds(xm_t) -@@ -366,3 +369,14 @@ +@@ -363,6 +368,19 @@ + + sysnet_read_config(xm_t) + ++userdom_dontaudit_search_sysadm_home_dirs(xm_t) ++ xen_append_log(xm_t) xen_stream_connect(xm_t) xen_stream_connect_xenstore(xm_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 76e82d3..d9380c9 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.0.8 -Release: 13%{?dist} +Release: 14%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -365,6 +365,10 @@ exit 0 %endif %changelog +* Tue Sep 24 2007 Dan Walsh 3.0.8-14 +- Allow xdm to talk to input device (fingerprint reader) +- Allow octave to run as java + * Tue Sep 24 2007 Dan Walsh 3.0.8-13 - Allow login programs to set ioctl on /proc