From ddf4ec413fa42d0e8bdefb26a614be5dd58a1a90 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Nov 19 2007 20:09:32 +0000 Subject: - Update to upstream --- diff --git a/booleans-mls.conf b/booleans-mls.conf index fbc359f..9f3d7ba 100644 --- a/booleans-mls.conf +++ b/booleans-mls.conf @@ -1,4 +1,4 @@ -# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack. +d# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack. # allow_execmem = false diff --git a/modules-targeted.conf b/modules-targeted.conf index bec5ec0..0b6299d 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -816,6 +816,14 @@ nscd = base ntp = base # Layer: services +# Module: nx +# +# NX Remote Desktop +# +nx = module + + +# Layer: services # Module: oddjob # # policy for oddjob diff --git a/policy-20071023.patch b/policy-20071023.patch index 8282aab..089cedf 100644 --- a/policy-20071023.patch +++ b/policy-20071023.patch @@ -532,6 +532,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.i + + allow $1 brctl_exec_t:file getattr; +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.te serefpolicy-3.1.0/policy/modules/admin/brctl.te +--- nsaserefpolicy/policy/modules/admin/brctl.te 2007-10-23 07:37:52.000000000 -0400 ++++ serefpolicy-3.1.0/policy/modules/admin/brctl.te 2007-11-12 18:12:28.000000000 -0500 +@@ -40,4 +40,5 @@ + + optional_policy(` + xen_append_log(brctl_t) ++ xen_dontaudit_rw_unix_stream_sockets(brctl_t) + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.1.0/policy/modules/admin/consoletype.te --- nsaserefpolicy/policy/modules/admin/consoletype.te 2007-10-12 08:56:09.000000000 -0400 +++ serefpolicy-3.1.0/policy/modules/admin/consoletype.te 2007-11-06 09:28:35.000000000 -0500 @@ -3163,7 +3172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.1.0/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.1.0/policy/modules/kernel/files.if 2007-11-09 14:39:44.000000000 -0500 ++++ serefpolicy-3.1.0/policy/modules/kernel/files.if 2007-11-12 18:07:03.000000000 -0500 @@ -3054,6 +3054,24 @@ ######################################## @@ -3189,7 +3198,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Search the tmp directory (/tmp). ## ## -@@ -4756,3 +4774,54 @@ +@@ -4717,7 +4735,6 @@ + files_search_home($1) + corecmd_exec_bin($1) + seutil_domtrans_setfiles($1) +- mount_domtrans($1) + ') + ') + +@@ -4756,3 +4773,54 @@ allow $1 { file_type -security_file_type }:dir manage_dir_perms; ') @@ -10565,7 +10582,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.1.0/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2007-10-15 16:11:05.000000000 -0400 -+++ serefpolicy-3.1.0/policy/modules/services/xserver.te 2007-11-12 11:58:29.000000000 -0500 ++++ serefpolicy-3.1.0/policy/modules/services/xserver.te 2007-11-12 18:26:06.000000000 -0500 @@ -16,6 +16,13 @@ ## @@ -10584,12 +10601,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser type xdm_var_run_t; files_pid_file(xdm_var_run_t) ++type xserver_var_lib_t; ++files_type(xserver_var_lib_t) ++ +type xserver_var_run_t; +files_pid_file(xserver_var_run_t) + -+type xdm_var_run_t; -+files_pid_file(xdm_var_run_t) -+ type xdm_tmp_t; files_tmp_file(xdm_tmp_t) typealias xdm_tmp_t alias ice_tmp_t; @@ -10753,11 +10770,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + # xserver signals unconfined user on startx + unconfined_signal(xdm_xserver_t) + unconfined_getpgid(xdm_xserver_t) -+') -+ -+ -+tunable_policy(`allow_xserver_execmem', ` -+ allow xdm_xserver_t self:process { execheap execmem execstack }; ') -ifdef(`TODO',` @@ -10781,6 +10793,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser -allow xdm_t polymember:lnk_file { create unlink }; -# xdm needs access for copying .Xauthority into new home -allow xdm_t polymember:file { create getattr write }; ++ ++tunable_policy(`allow_xserver_execmem', ` ++ allow xdm_xserver_t self:process { execheap execmem execstack }; ++') ++ +ifndef(`distro_redhat',` + allow xdm_xserver_t self:process { execheap execmem }; +') diff --git a/selinux-policy.spec b/selinux-policy.spec index b6ab7fd..2f667c5 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -16,12 +16,12 @@ %define CHECKPOLICYVER 2.0.3-1 Summary: SELinux policy configuration Name: selinux-policy -Version: 3.1.1 +Version: 3.1.2 Release: 1%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz -patch: policy-20071023.patch +patch: policy-20071114.patch Source1: modules-targeted.conf Source2: booleans-targeted.conf Source3: Makefile.devel