From b10408d9842ab0f9a525fffb023c32230d26905d Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Apr 25 2010 11:36:09 +0000 Subject: - Allow rlogind_t to search /root for .rhosts Resolves: #582760 - Fix path for cached_var_t - Fix prelink paths /var/lib/prelink - Allow confined users to direct_dri - Allow mls lvm/cryptosetup to work --- diff --git a/policy-F13.patch b/policy-F13.patch index 2a82830..0ef160d 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -354,7 +354,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwat apache_exec_modules(certwatch_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.if serefpolicy-3.7.19/policy/modules/admin/consoletype.if --- nsaserefpolicy/policy/modules/admin/consoletype.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/admin/consoletype.if 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/admin/consoletype.if 2010-04-22 08:40:46.000000000 -0400 @@ -19,6 +19,9 @@ corecmd_search_bin($1) @@ -612,19 +612,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-3.7.19/policy/modules/admin/prelink.fc --- nsaserefpolicy/policy/modules/admin/prelink.fc 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/admin/prelink.fc 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/admin/prelink.fc 2010-04-23 10:28:24.000000000 -0400 @@ -1,3 +1,4 @@ +/etc/cron\.daily/prelink -- gen_context(system_u:object_r:prelink_cron_system_exec_t,s0) /etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0) +@@ -6,4 +7,5 @@ + /var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0) + /var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0) + +-/var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0) ++/var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0) ++/var/lib/prelink(/.*)? gen_context(system_u:object_r:prelink_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.7.19/policy/modules/admin/prelink.if --- nsaserefpolicy/policy/modules/admin/prelink.if 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/admin/prelink.if 2010-04-14 10:48:18.000000000 -0400 -@@ -21,6 +21,25 @@ ++++ serefpolicy-3.7.19/policy/modules/admin/prelink.if 2010-04-22 08:56:05.000000000 -0400 +@@ -17,6 +17,30 @@ - ######################################## - ## + corecmd_search_bin($1) + domtrans_pattern($1, prelink_exec_t, prelink_t) ++ ++ ifdef(`hide_broken_symptoms', ` ++ dontaudit prelink_t $1:socket_class_set { read write }; ++ dontaudit prelink_t $1:fifo_file setattr; ++ ') ++') ++ ++######################################## ++## +## Execute the prelink program in the current domain. +## +## @@ -640,14 +656,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink + + corecmd_search_bin($1) + can_exec($1, prelink_exec_t) -+') -+ -+######################################## -+## - ## Execute the prelink program in the prelink domain. - ## - ## -@@ -151,11 +170,11 @@ + ') + + ######################################## +@@ -151,11 +175,11 @@ ## ## # @@ -5358,6 +5370,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleut optional_policy(` dbus_system_bus_client(podsleuth_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.fc serefpolicy-3.7.19/policy/modules/apps/pulseaudio.fc +--- nsaserefpolicy/policy/modules/apps/pulseaudio.fc 2010-03-29 15:04:22.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/apps/pulseaudio.fc 2010-04-22 08:28:05.000000000 -0400 +@@ -3,5 +3,6 @@ + + /usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0) + ++/var/lib/mpd(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0) + /var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0) + /var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.7.19/policy/modules/apps/pulseaudio.if --- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2010-03-29 15:04:22.000000000 -0400 +++ serefpolicy-3.7.19/policy/modules/apps/pulseaudio.if 2010-04-14 10:48:18.000000000 -0400 @@ -6654,8 +6676,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp +/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.if serefpolicy-3.7.19/policy/modules/apps/userhelper.if --- nsaserefpolicy/policy/modules/apps/userhelper.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/userhelper.if 2010-04-14 10:48:18.000000000 -0400 -@@ -260,3 +260,51 @@ ++++ serefpolicy-3.7.19/policy/modules/apps/userhelper.if 2010-04-22 08:47:45.000000000 -0400 +@@ -25,6 +25,7 @@ + gen_require(` + attribute userhelper_type; + type userhelper_exec_t, userhelper_conf_t; ++ class dbus send_msg; + ') + + ######################################## +@@ -260,3 +261,58 @@ can_exec($1, userhelper_exec_t) ') @@ -6691,8 +6721,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp + gen_require(` + type consolehelper_exec_t; + attribute consolehelper_domain; ++ class dbus send_msg; + ') -+ + type $1_consolehelper_t, consolehelper_domain; + domain_type($1_consolehelper_t) + domain_entry_file($1_consolehelper_t, consolehelper_exec_t) @@ -6700,12 +6730,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp + + domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t) + ++ allow $3 $1_consolehelper_t:dbus send_msg; ++ allow $1_consolehelper_t $3:dbus send_msg; ++ + auth_use_pam($1_consolehelper_t) + + optional_policy(` + shutdown_run($1_consolehelper_t, $2) + shutdown_send_sigchld($3) + ') ++ ++ optional_policy(` ++ xserver_read_xdm_pid($1_consolehelper_t) ++ ') +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.te serefpolicy-3.7.19/policy/modules/apps/userhelper.te --- nsaserefpolicy/policy/modules/apps/userhelper.te 2009-07-14 14:19:57.000000000 -0400 @@ -6971,7 +7008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-03-05 17:14:56.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc 2010-04-22 11:50:15.000000000 -0400 @@ -49,7 +49,8 @@ /etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0) /etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0) @@ -6982,7 +7019,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /etc/cron.daily(/.*)? gen_context(system_u:object_r:bin_t,s0) /etc/cron.hourly(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -147,6 +148,9 @@ +@@ -70,6 +71,9 @@ + + /etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) + ++/etc/pm/power\d(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/etc/pm/sleep\d(/.*)? gen_context(system_u:object_r:bin_t,s0) ++ + /etc/ppp/ip-down\..* -- gen_context(system_u:object_r:bin_t,s0) + /etc/ppp/ip-up\..* -- gen_context(system_u:object_r:bin_t,s0) + /etc/ppp/ipv6-up\..* -- gen_context(system_u:object_r:bin_t,s0) +@@ -147,6 +151,9 @@ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -6992,7 +7039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco # # /usr # -@@ -217,10 +221,13 @@ +@@ -217,10 +224,13 @@ /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0) /usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0) @@ -7006,7 +7053,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) -@@ -297,6 +304,7 @@ +@@ -297,6 +307,7 @@ /usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0) @@ -7014,7 +7061,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/share/system-config-services/serviceconf\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-services/system-config-services -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-soundcard/system-config-soundcard -- gen_context(system_u:object_r:bin_t,s0) -@@ -331,3 +339,21 @@ +@@ -331,3 +342,21 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -7740,7 +7787,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.19/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2010-04-05 14:44:26.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/kernel/files.if 2010-04-21 10:00:28.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/kernel/files.if 2010-04-22 09:13:23.000000000 -0400 @@ -1053,10 +1053,8 @@ relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -8355,7 +8402,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ') -@@ -5520,3 +5933,210 @@ +@@ -5520,3 +5933,229 @@ typeattribute $1 files_unconfined_type; ') @@ -8566,6 +8613,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. + dontaudit $1 file_type:file rw_inherited_file_perms; + dontaudit $1 file_type:lnk_file { read }; +') ++ ++######################################## ++## ++## Allow domain to create_file_ass all types ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_create_as_is_all_files',` ++ gen_require(` ++ attribute file_type; ++ class kernel_service create_files_as; ++ ') ++ ++ allow $1 file_type:kernel_service create_files_as; ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.7.19/policy/modules/kernel/files.te --- nsaserefpolicy/policy/modules/kernel/files.te 2010-04-05 14:44:26.000000000 -0400 +++ serefpolicy-3.7.19/policy/modules/kernel/files.te 2010-04-21 10:00:10.000000000 -0400 @@ -8978,7 +9044,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.19/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2010-03-18 06:48:09.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/kernel/kernel.if 2010-04-20 08:55:34.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/kernel/kernel.if 2010-04-21 17:30:44.000000000 -0400 @@ -1959,7 +1959,7 @@ ') @@ -9063,7 +9129,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ## Unconfined access to kernel module resources. ## ## -@@ -2807,3 +2861,22 @@ +@@ -2807,3 +2861,23 @@ typeattribute $1 kern_unconfined; ') @@ -9086,6 +9152,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel + + allow $1 kernel_t:unix_stream_socket connectto; +') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.7.19/policy/modules/kernel/kernel.te --- nsaserefpolicy/policy/modules/kernel/kernel.te 2010-03-18 06:48:09.000000000 -0400 +++ serefpolicy-3.7.19/policy/modules/kernel/kernel.te 2010-04-14 10:48:18.000000000 -0400 @@ -9581,7 +9648,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.19/policy/modules/roles/sysadm.te --- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-02-17 10:37:39.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/roles/sysadm.te 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/roles/sysadm.te 2010-04-23 11:38:30.000000000 -0400 @@ -15,7 +15,7 @@ role sysadm_r; @@ -9841,22 +9908,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` ssh_role_template(sysadm, sysadm_r, sysadm_t) -@@ -369,6 +430,7 @@ - staff_role_change(sysadm_r) - ') - -+ifndef(`distro_redhat',` - optional_policy(` - su_role_template(sysadm, sysadm_r, sysadm_t) - ') -@@ -376,15 +438,18 @@ - optional_policy(` - sudo_role_template(sysadm, sysadm_r, sysadm_t) - ') -+') - - optional_policy(` - sysnet_run_ifconfig(sysadm_t, sysadm_r) +@@ -382,9 +443,11 @@ sysnet_run_dhcpc(sysadm_t, sysadm_r) ') @@ -9868,7 +9920,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` tripwire_run_siggen(sysadm_t, sysadm_r) -@@ -393,17 +458,21 @@ +@@ -393,17 +456,21 @@ tripwire_run_twprint(sysadm_t, sysadm_r) ') @@ -9890,7 +9942,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` unconfined_domtrans(sysadm_t) -@@ -417,9 +486,11 @@ +@@ -417,9 +484,11 @@ usbmodules_run(sysadm_t, sysadm_r) ') @@ -9902,7 +9954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` usermanage_run_admin_passwd(sysadm_t, sysadm_r) -@@ -427,9 +498,15 @@ +@@ -427,9 +496,15 @@ usermanage_run_useradd(sysadm_t, sysadm_r) ') @@ -9918,7 +9970,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` vpn_run(sysadm_t, sysadm_r) -@@ -440,13 +517,26 @@ +@@ -440,13 +515,26 @@ ') optional_policy(` @@ -13548,8 +13600,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugz + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.fc serefpolicy-3.7.19/policy/modules/services/cachefilesd.fc --- nsaserefpolicy/policy/modules/services/cachefilesd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/cachefilesd.fc 2010-04-14 10:48:18.000000000 -0400 -@@ -0,0 +1,28 @@ ++++ serefpolicy-3.7.19/policy/modules/services/cachefilesd.fc 2010-04-22 07:27:48.000000000 -0400 +@@ -0,0 +1,29 @@ +############################################################################### +# +# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. @@ -13576,6 +13628,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cach +/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0) +/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_dev_t,s0) +/var/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0) ++/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0) + +/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefiles_var_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.if serefpolicy-3.7.19/policy/modules/services/cachefilesd.if @@ -13625,8 +13678,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cach +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.te serefpolicy-3.7.19/policy/modules/services/cachefilesd.te --- nsaserefpolicy/policy/modules/services/cachefilesd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/cachefilesd.te 2010-04-14 10:48:18.000000000 -0400 -@@ -0,0 +1,146 @@ ++++ serefpolicy-3.7.19/policy/modules/services/cachefilesd.te 2010-04-21 17:32:23.000000000 -0400 +@@ -0,0 +1,147 @@ +############################################################################### +# +# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved. @@ -13726,6 +13779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cach +manage_dirs_pattern(cachefilesd_t,cachefilesd_var_run_t, cachefilesd_var_run_t) +files_pid_file(cachefilesd_var_run_t) +files_pid_filetrans(cachefilesd_t,cachefilesd_var_run_t,file) ++files_create_as_is_all_files(cachefilesd_t) + +# Allow access to cachefiles device file +allow cachefilesd_t cachefiles_dev_t : chr_file rw_file_perms; @@ -21339,7 +21393,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.7.19/policy/modules/services/policykit.te --- nsaserefpolicy/policy/modules/services/policykit.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/policykit.te 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/policykit.te 2010-04-22 08:28:38.000000000 -0400 @@ -25,6 +25,9 @@ type policykit_reload_t alias polkit_reload_t; files_type(policykit_reload_t) @@ -21382,7 +21436,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli auth_use_nsswitch(policykit_t) -@@ -68,45 +76,80 @@ +@@ -68,45 +76,82 @@ miscfiles_read_localization(policykit_t) @@ -21441,6 +21495,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir }) -kernel_read_system_state(policykit_auth_t) ++kernel_dontaudit_search_kernel_sysctl(policykit_auth_t) ++ +dev_read_video_dev(policykit_auth_t) files_read_etc_files(policykit_auth_t) @@ -21469,7 +21525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli dbus_session_bus_client(policykit_auth_t) optional_policy(` -@@ -119,6 +162,14 @@ +@@ -119,6 +164,14 @@ hal_read_state(policykit_auth_t) ') @@ -21484,7 +21540,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli ######################################## # # polkit_grant local policy -@@ -126,7 +177,8 @@ +@@ -126,7 +179,8 @@ allow policykit_grant_t self:capability setuid; allow policykit_grant_t self:process getattr; @@ -21494,7 +21550,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli allow policykit_grant_t self:unix_dgram_socket create_socket_perms; allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms; -@@ -156,9 +208,12 @@ +@@ -156,9 +210,12 @@ userdom_read_all_users_state(policykit_grant_t) optional_policy(` @@ -21508,7 +21564,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli consolekit_dbus_chat(policykit_grant_t) ') ') -@@ -170,7 +225,8 @@ +@@ -170,7 +227,8 @@ allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace }; allow policykit_resolve_t self:process getattr; @@ -24071,15 +24127,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.fc serefpolicy-3.7.19/policy/modules/services/rlogin.fc --- nsaserefpolicy/policy/modules/services/rlogin.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/rlogin.fc 2010-04-15 16:21:06.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/rlogin.fc 2010-04-22 11:53:06.000000000 -0400 @@ -1,4 +1,7 @@ HOME_DIR/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0) +HOME_DIR/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0) +/root/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0) -+/root/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0) ++/root/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0) /usr/kerberos/sbin/klogind -- gen_context(system_u:object_r:rlogind_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.7.19/policy/modules/services/rlogin.te +--- nsaserefpolicy/policy/modules/services/rlogin.te 2009-08-14 16:14:31.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/rlogin.te 2010-04-22 11:52:51.000000000 -0400 +@@ -89,6 +89,7 @@ + userdom_setattr_user_ptys(rlogind_t) + # cjp: this is egregious + userdom_read_user_home_content_files(rlogind_t) ++userdom_search_admin_dir(rlogind_t) + + remotelogin_domtrans(rlogind_t) + remotelogin_signal(rlogind_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.7.19/policy/modules/services/rpc.if --- nsaserefpolicy/policy/modules/services/rpc.if 2010-04-06 15:15:38.000000000 -0400 +++ serefpolicy-3.7.19/policy/modules/services/rpc.if 2010-04-14 10:48:18.000000000 -0400 @@ -26591,7 +26658,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.19/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/xserver.if 2010-04-15 13:35:28.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/xserver.if 2010-04-23 09:46:57.000000000 -0400 @@ -19,9 +19,10 @@ interface(`xserver_restricted_role',` gen_require(` @@ -26647,7 +26714,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Client read xserver shm allow $2 xserver_t:fd use; -@@ -94,9 +104,9 @@ +@@ -89,14 +99,19 @@ + dev_write_misc($2) + # open office is looking for the following + dev_getattr_agp_dev($2) +- dev_dontaudit_rw_dri($2) ++ tunable_policy(`user_direct_dri',` ++ dev_rw_dri($2) ++ ',` ++ dev_dontaudit_rw_dri($2) ++ ') ++ + # GNOME checks for usb and other devices: dev_rw_usbfs($2) miscfiles_read_fonts($2) @@ -26658,7 +26736,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_xsession_entry_type($2) xserver_dontaudit_write_log($2) xserver_stream_connect_xdm($2) -@@ -148,6 +158,7 @@ +@@ -148,6 +163,7 @@ allow $2 xauth_home_t:file manage_file_perms; allow $2 xauth_home_t:file { relabelfrom relabelto }; @@ -26666,7 +26744,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser manage_dirs_pattern($2, user_fonts_t, user_fonts_t) manage_files_pattern($2, user_fonts_t, user_fonts_t) relabel_dirs_pattern($2, user_fonts_t, user_fonts_t) -@@ -197,7 +208,7 @@ +@@ -197,7 +213,7 @@ allow $1 xserver_t:process signal; # Read /tmp/.X0-lock @@ -26675,7 +26753,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Client read xserver shm allow $1 xserver_t:fd use; -@@ -291,12 +302,12 @@ +@@ -291,12 +307,12 @@ allow $1 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file @@ -26691,7 +26769,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow $1 xdm_tmp_t:dir search; allow $1 xdm_tmp_t:sock_file { read write }; dontaudit $1 xdm_t:tcp_socket { read write }; -@@ -355,6 +366,12 @@ +@@ -355,6 +371,12 @@ class x_property all_x_property_perms; class x_event all_x_event_perms; class x_synthetic_event all_x_synthetic_event_perms; @@ -26704,7 +26782,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ############################## -@@ -386,6 +403,15 @@ +@@ -386,6 +408,15 @@ allow $2 xevent_t:{ x_event x_synthetic_event } receive; # dont audit send failures dontaudit $2 input_xevent_type:x_event send; @@ -26720,7 +26798,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ####################################### -@@ -476,6 +502,7 @@ +@@ -476,6 +507,7 @@ xserver_use_user_fonts($2) xserver_read_xdm_tmp_files($2) @@ -26728,7 +26806,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # X object manager xserver_object_types_template($1) -@@ -545,6 +572,9 @@ +@@ -545,6 +577,9 @@ ') domtrans_pattern($1, xauth_exec_t, xauth_t) @@ -26738,7 +26816,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -598,6 +628,7 @@ +@@ -598,6 +633,7 @@ allow $1 xauth_home_t:file read_file_perms; userdom_search_user_home_dirs($1) @@ -26746,7 +26824,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -805,7 +836,7 @@ +@@ -805,7 +841,7 @@ ') files_search_pids($1) @@ -26755,7 +26833,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1224,9 +1255,20 @@ +@@ -1224,9 +1260,20 @@ class x_device all_x_device_perms; class x_pointer all_x_pointer_perms; class x_keyboard all_x_keyboard_perms; @@ -26776,7 +26854,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1250,3 +1292,329 @@ +@@ -1250,3 +1297,329 @@ typeattribute $1 x_domain; typeattribute $1 xserver_unconfined_type; ') @@ -27108,7 +27186,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.19/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-04-15 16:59:03.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-04-23 09:42:21.000000000 -0400 @@ -36,6 +36,13 @@ ## @@ -27123,17 +27201,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Allow xdm logins as sysadm ##

## -@@ -48,6 +55,9 @@ +@@ -48,6 +55,16 @@ ## gen_tunable(xserver_object_manager, false) ++## ++##

++## Allow regular users direct dri device access ++##

++## ++gen_tunable(user_direct_dri, false) ++ +attribute xdmhomewriter; +attribute x_userdomain; + attribute x_domain; # X Events -@@ -110,21 +120,26 @@ +@@ -110,21 +127,26 @@ type user_fonts_t; typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t }; typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t }; @@ -27160,7 +27245,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser typealias iceauth_t alias { auditadm_iceauth_t secadm_iceauth_t }; application_domain(iceauth_t, iceauth_exec_t) ubac_constrained(iceauth_t) -@@ -132,6 +147,7 @@ +@@ -132,6 +154,7 @@ type iceauth_home_t; typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t }; typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t }; @@ -27168,7 +27253,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_poly_member(iceauth_home_t) userdom_user_home_content(iceauth_home_t) -@@ -139,17 +155,20 @@ +@@ -139,17 +162,20 @@ type xauth_exec_t; typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t }; typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t }; @@ -27189,7 +27274,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t }; files_tmp_file(xauth_tmp_t) ubac_constrained(xauth_tmp_t) -@@ -164,16 +183,18 @@ +@@ -164,16 +190,18 @@ type xdm_exec_t; auth_login_pgm_domain(xdm_t) init_domain(xdm_t, xdm_exec_t) @@ -27211,7 +27296,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser type xdm_var_lib_t; files_type(xdm_var_lib_t) -@@ -181,13 +202,27 @@ +@@ -181,13 +209,27 @@ type xdm_var_run_t; files_pid_file(xdm_var_run_t) @@ -27240,7 +27325,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # type for /var/lib/xkb type xkb_var_lib_t; files_type(xkb_var_lib_t) -@@ -200,15 +235,9 @@ +@@ -200,15 +242,9 @@ init_system_domain(xserver_t, xserver_exec_t) ubac_constrained(xserver_t) @@ -27258,7 +27343,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_tmpfs_file(xserver_tmpfs_t) ubac_constrained(xserver_tmpfs_t) -@@ -238,9 +267,13 @@ +@@ -238,9 +274,13 @@ allow xdm_t iceauth_home_t:file read_file_perms; @@ -27272,7 +27357,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files(iceauth_t) -@@ -250,30 +283,58 @@ +@@ -250,30 +290,58 @@ fs_manage_cifs_files(iceauth_t) ') @@ -27334,7 +27419,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser fs_search_auto_mountpoints(xauth_t) # cjp: why? -@@ -283,17 +344,36 @@ +@@ -283,17 +351,36 @@ userdom_use_user_terminals(xauth_t) userdom_read_user_tmp_files(xauth_t) @@ -27371,7 +27456,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) -@@ -305,20 +385,31 @@ +@@ -305,20 +392,31 @@ # XDM Local policy # @@ -27406,7 +27491,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -332,26 +423,45 @@ +@@ -332,26 +430,45 @@ manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) @@ -27457,7 +27542,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xdm_t xserver_t:unix_stream_socket connectto; allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms; -@@ -359,10 +469,13 @@ +@@ -359,10 +476,13 @@ # transition to the xdm xserver domtrans_pattern(xdm_t, xserver_exec_t, xserver_t) @@ -27471,7 +27556,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -371,15 +484,21 @@ +@@ -371,15 +491,21 @@ delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -27494,7 +27579,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser corecmd_exec_shell(xdm_t) corecmd_exec_bin(xdm_t) -@@ -394,11 +513,13 @@ +@@ -394,11 +520,13 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -27508,7 +27593,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_read_rand(xdm_t) dev_read_sysfs(xdm_t) dev_getattr_framebuffer_dev(xdm_t) -@@ -406,6 +527,7 @@ +@@ -406,6 +534,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -27516,7 +27601,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -414,18 +536,22 @@ +@@ -414,18 +543,22 @@ dev_getattr_misc_dev(xdm_t) dev_setattr_misc_dev(xdm_t) dev_dontaudit_rw_misc(xdm_t) @@ -27542,7 +27627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -436,9 +562,17 @@ +@@ -436,9 +569,17 @@ files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -27560,7 +27645,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -447,14 +581,19 @@ +@@ -447,14 +588,19 @@ storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -27580,7 +27665,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -465,10 +604,12 @@ +@@ -465,10 +611,12 @@ logging_read_generic_logs(xdm_t) @@ -27595,7 +27680,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -477,6 +618,11 @@ +@@ -477,6 +625,11 @@ # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -27607,7 +27692,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_rw_session(xdm_t, xdm_tmpfs_t) xserver_unconfined(xdm_t) -@@ -509,10 +655,12 @@ +@@ -509,10 +662,12 @@ optional_policy(` alsa_domtrans(xdm_t) @@ -27620,7 +27705,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -520,12 +668,50 @@ +@@ -520,12 +675,50 @@ ') optional_policy(` @@ -27671,7 +27756,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser hostname_exec(xdm_t) ') -@@ -543,20 +729,59 @@ +@@ -543,20 +736,59 @@ ') optional_policy(` @@ -27733,7 +27818,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -565,7 +790,6 @@ +@@ -565,7 +797,6 @@ ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; ') @@ -27741,7 +27826,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` userhelper_dontaudit_search_config(xdm_t) -@@ -576,6 +800,10 @@ +@@ -576,6 +807,10 @@ ') optional_policy(` @@ -27752,7 +27837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xfs_stream_connect(xdm_t) ') -@@ -600,10 +828,9 @@ +@@ -600,10 +835,9 @@ # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -27764,7 +27849,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; allow xserver_t self:sock_file read_sock_file_perms; -@@ -615,6 +842,18 @@ +@@ -615,6 +849,18 @@ allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -27783,7 +27868,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -634,12 +873,19 @@ +@@ -634,12 +880,19 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -27805,7 +27890,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -673,7 +919,6 @@ +@@ -673,7 +926,6 @@ dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -27813,7 +27898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -683,9 +928,12 @@ +@@ -683,9 +935,12 @@ dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -27827,7 +27912,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) -@@ -700,8 +948,13 @@ +@@ -700,8 +955,13 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -27841,7 +27926,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -723,11 +976,14 @@ +@@ -723,11 +983,14 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -27856,7 +27941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -779,12 +1035,24 @@ +@@ -779,12 +1042,24 @@ ') optional_policy(` @@ -27882,7 +27967,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser unconfined_domtrans(xserver_t) ') -@@ -811,7 +1079,7 @@ +@@ -811,7 +1086,7 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -27891,7 +27976,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -832,9 +1100,14 @@ +@@ -832,9 +1107,14 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -27906,7 +27991,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -849,11 +1122,14 @@ +@@ -849,11 +1129,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -27923,7 +28008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -999,3 +1275,33 @@ +@@ -999,3 +1282,33 @@ allow xserver_unconfined_type xextension_type:x_extension *; allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -28372,7 +28457,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f # /var diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.19/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2010-03-18 10:35:11.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/init.if 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/system/init.if 2010-04-22 08:33:46.000000000 -0400 @@ -193,8 +193,10 @@ gen_require(` attribute direct_run_init, direct_init, direct_init_entry; @@ -28623,7 +28708,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.19/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2010-03-18 10:35:11.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/init.te 2010-04-15 16:58:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/system/init.te 2010-04-22 08:33:38.000000000 -0400 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart, false) @@ -29669,7 +29754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin domain_system_change_exemption($1) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.7.19/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2010-03-18 06:48:09.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/logging.te 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/system/logging.te 2010-04-22 08:29:10.000000000 -0400 @@ -61,6 +61,7 @@ type syslogd_t; type syslogd_exec_t; @@ -29756,7 +29841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc # /sbin diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if serefpolicy-3.7.19/policy/modules/system/lvm.if --- nsaserefpolicy/policy/modules/system/lvm.if 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/system/lvm.if 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/system/lvm.if 2010-04-22 12:09:51.000000000 -0400 @@ -34,7 +34,7 @@ type lvm_exec_t; ') @@ -29768,7 +29853,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.7.19/policy/modules/system/lvm.te --- nsaserefpolicy/policy/modules/system/lvm.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/system/lvm.te 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/system/lvm.te 2010-04-22 12:11:19.000000000 -0400 @@ -142,6 +142,11 @@ ') @@ -29816,7 +29901,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te fs_search_auto_mountpoints(lvm_t) fs_list_tmpfs(lvm_t) fs_read_tmpfs_symlinks(lvm_t) -@@ -311,6 +320,11 @@ +@@ -264,6 +273,7 @@ + + mls_file_read_all_levels(lvm_t) + mls_file_write_to_clearance(lvm_t) ++mls_file_upgrade(lvm_t) + + selinux_get_fs_mount(lvm_t) + selinux_validate_context(lvm_t) +@@ -311,6 +321,11 @@ ') optional_policy(` @@ -29828,7 +29921,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te bootloader_rw_tmp_files(lvm_t) ') -@@ -331,6 +345,10 @@ +@@ -331,6 +346,10 @@ ') optional_policy(` @@ -32556,7 +32649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +HOME_DIR/\.gvfs(/.*)? <> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.19/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2010-03-03 23:26:37.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2010-04-20 12:26:39.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2010-04-22 11:53:25.000000000 -0400 @@ -30,8 +30,9 @@ ') diff --git a/selinux-policy.spec b/selinux-policy.spec index daddb15..94a9ea1 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.19 -Release: 4%{?dist} +Release: 5%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -466,6 +466,14 @@ exit 0 %endif %changelog +* Thu Apr 22 2010 Dan Walsh 3.7.19-5 +- Allow rlogind_t to search /root for .rhosts +Resolves: #582760 +- Fix path for cached_var_t +- Fix prelink paths /var/lib/prelink +- Allow confined users to direct_dri +- Allow mls lvm/cryptosetup to work + * Wed Apr 21 2010 Dan Walsh 3.7.19-4 - Allow virtd_t to manage firewall/iptables config Resolves: #573585