##
@@ -37262,10 +37357,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
+##
+##
++## Allows xdm to execute bootloader
++##
++##
++gen_tunable(xdm_exec_bootloader, false)
++
++##
++##
## Allow xdm logins as sysadm
##
##
-@@ -48,6 +55,16 @@
+@@ -48,6 +62,16 @@
##
gen_tunable(xserver_object_manager, false)
@@ -37282,7 +37384,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
attribute x_domain;
# X Events
-@@ -110,21 +127,26 @@
+@@ -110,21 +134,26 @@
type user_fonts_t;
typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t };
typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t };
@@ -37309,7 +37411,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
typealias iceauth_t alias { auditadm_iceauth_t secadm_iceauth_t };
application_domain(iceauth_t, iceauth_exec_t)
ubac_constrained(iceauth_t)
-@@ -132,6 +154,7 @@
+@@ -132,6 +161,7 @@
type iceauth_home_t;
typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t };
typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t };
@@ -37317,7 +37419,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_poly_member(iceauth_home_t)
userdom_user_home_content(iceauth_home_t)
-@@ -139,17 +162,20 @@
+@@ -139,17 +169,20 @@
type xauth_exec_t;
typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t };
typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t };
@@ -37338,7 +37440,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
files_tmp_file(xauth_tmp_t)
ubac_constrained(xauth_tmp_t)
-@@ -164,16 +190,21 @@
+@@ -164,16 +197,21 @@
type xdm_exec_t;
auth_login_pgm_domain(xdm_t)
init_domain(xdm_t, xdm_exec_t)
@@ -37363,7 +37465,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
type xdm_var_lib_t;
files_type(xdm_var_lib_t)
-@@ -181,13 +212,27 @@
+@@ -181,13 +219,27 @@
type xdm_var_run_t;
files_pid_file(xdm_var_run_t)
@@ -37392,7 +37494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# type for /var/lib/xkb
type xkb_var_lib_t;
files_type(xkb_var_lib_t)
-@@ -200,15 +245,9 @@
+@@ -200,15 +252,9 @@
init_system_domain(xserver_t, xserver_exec_t)
ubac_constrained(xserver_t)
@@ -37410,7 +37512,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_tmpfs_file(xserver_tmpfs_t)
ubac_constrained(xserver_tmpfs_t)
-@@ -238,9 +277,13 @@
+@@ -238,9 +284,13 @@
allow xdm_t iceauth_home_t:file read_file_perms;
@@ -37424,7 +37526,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(iceauth_t)
-@@ -250,50 +293,106 @@
+@@ -250,50 +300,106 @@
fs_manage_cifs_files(iceauth_t)
')
@@ -37537,7 +37639,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
optional_policy(`
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
-@@ -305,20 +404,33 @@
+@@ -305,20 +411,33 @@
# XDM Local policy
#
@@ -37574,7 +37676,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -326,32 +438,55 @@
+@@ -326,32 +445,55 @@
allow xdm_t xdm_lock_t:file manage_file_perms;
files_lock_filetrans(xdm_t, xdm_lock_t, file)
@@ -37635,7 +37737,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xdm_t xserver_t:unix_stream_socket connectto;
allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms;
-@@ -359,10 +494,13 @@
+@@ -359,10 +501,13 @@
# transition to the xdm xserver
domtrans_pattern(xdm_t, xserver_exec_t, xserver_t)
@@ -37649,7 +37751,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -371,18 +509,25 @@
+@@ -371,18 +516,25 @@
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -37676,7 +37778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
corenet_all_recvfrom_unlabeled(xdm_t)
corenet_all_recvfrom_netlabel(xdm_t)
-@@ -394,11 +539,14 @@
+@@ -394,11 +546,14 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -37691,7 +37793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_read_rand(xdm_t)
dev_read_sysfs(xdm_t)
dev_getattr_framebuffer_dev(xdm_t)
-@@ -406,6 +554,7 @@
+@@ -406,6 +561,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@@ -37699,7 +37801,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -414,18 +563,22 @@
+@@ -414,18 +570,22 @@
dev_getattr_misc_dev(xdm_t)
dev_setattr_misc_dev(xdm_t)
dev_dontaudit_rw_misc(xdm_t)
@@ -37725,7 +37827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -436,9 +589,17 @@
+@@ -436,9 +596,17 @@
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -37743,7 +37845,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -447,14 +608,21 @@
+@@ -447,14 +615,21 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -37765,7 +37867,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -465,10 +633,12 @@
+@@ -465,10 +640,12 @@
logging_read_generic_logs(xdm_t)
@@ -37780,7 +37882,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -477,6 +647,12 @@
+@@ -477,6 +654,12 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -37793,7 +37895,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
-@@ -508,11 +684,17 @@
+@@ -495,6 +678,12 @@
+ fs_exec_cifs_files(xdm_t)
+ ')
+
++tunable_policy(`xdm_exec_bootloader',`
++ bootloader_exec(xdm_t)
++ files_read_boot_files(xdm_t)
++ files_read_boot_symlinks(xdm_t)
++')
++
+ tunable_policy(`xdm_sysadm_login',`
+ userdom_xsession_spec_domtrans_all_users(xdm_t)
+ # FIXME:
+@@ -508,11 +697,17 @@
')
optional_policy(`
@@ -37811,7 +37926,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -520,12 +702,51 @@
+@@ -520,12 +715,51 @@
')
optional_policy(`
@@ -37863,7 +37978,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
hostname_exec(xdm_t)
')
-@@ -543,20 +764,63 @@
+@@ -543,20 +777,63 @@
')
optional_policy(`
@@ -37929,7 +38044,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -565,7 +829,6 @@
+@@ -565,7 +842,6 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -37937,7 +38052,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -576,6 +839,10 @@
+@@ -576,6 +852,10 @@
')
optional_policy(`
@@ -37948,7 +38063,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xfs_stream_connect(xdm_t)
')
-@@ -600,10 +867,9 @@
+@@ -600,10 +880,9 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -37960,7 +38075,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
allow xserver_t self:sock_file read_sock_file_perms;
-@@ -615,6 +881,18 @@
+@@ -615,6 +894,18 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -37979,7 +38094,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -634,12 +912,19 @@
+@@ -634,12 +925,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -38001,7 +38116,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -647,6 +932,7 @@
+@@ -647,6 +945,7 @@
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -38009,7 +38124,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -673,7 +959,6 @@
+@@ -673,7 +972,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -38017,7 +38132,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -683,9 +968,12 @@
+@@ -683,9 +981,12 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -38031,7 +38146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -700,8 +988,13 @@
+@@ -700,8 +1001,13 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -38045,7 +38160,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -723,11 +1016,14 @@
+@@ -723,11 +1029,14 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -38060,7 +38175,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -779,12 +1075,28 @@
+@@ -779,12 +1088,28 @@
')
optional_policy(`
@@ -38090,7 +38205,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
unconfined_domtrans(xserver_t)
')
-@@ -811,7 +1123,7 @@
+@@ -811,7 +1136,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -38099,7 +38214,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -832,9 +1144,14 @@
+@@ -832,9 +1157,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -38114,7 +38229,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -849,11 +1166,14 @@
+@@ -849,11 +1179,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -38131,7 +38246,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -999,3 +1319,33 @@
+@@ -999,3 +1332,34 @@
allow xserver_unconfined_type xextension_type:x_extension *;
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -38149,6 +38264,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ allow xserver_t self:process { execheap execmem execstack };
+')
+
++
+# Hack to handle the problem of using the nvidia blobs
+tunable_policy(`allow_execmem',`
+ allow xdm_t self:process execmem;
@@ -38246,7 +38362,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/applic
ssh_rw_stream_sockets(application_domain_type)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.7.19/policy/modules/system/authlogin.fc
--- nsaserefpolicy/policy/modules/system/authlogin.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/authlogin.fc 2010-05-28 09:42:00.209610947 +0200
++++ serefpolicy-3.7.19/policy/modules/system/authlogin.fc 2010-11-10 15:15:13.229148284 +0100
@@ -10,6 +10,7 @@
/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
@@ -38255,6 +38371,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
ifdef(`distro_suse', `
+@@ -39,6 +40,7 @@
+ /var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0)
+
+ /var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0)
++/var/run/faillock(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
+ /var/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
+ /var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
+ /var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.7.19/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/system/authlogin.if 2010-11-02 16:59:22.380650718 +0100
@@ -40017,8 +40141,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.7.19/policy/modules/system/iscsi.te
--- nsaserefpolicy/policy/modules/system/iscsi.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/iscsi.te 2010-09-15 15:53:35.451386747 +0200
-@@ -77,6 +77,8 @@
++++ serefpolicy-3.7.19/policy/modules/system/iscsi.te 2010-11-08 16:19:07.128446678 +0100
+@@ -77,9 +77,12 @@
dev_rw_sysfs(iscsid_t)
dev_rw_userio_dev(iscsid_t)
@@ -40027,7 +40151,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.
domain_use_interactive_fds(iscsid_t)
domain_dontaudit_read_all_domains_state(iscsid_t)
-@@ -92,5 +94,5 @@
++domain_dontaudit_ptrace_all_domains(iscsid_t)
+
+ files_read_etc_files(iscsid_t)
+
+@@ -92,5 +95,5 @@
miscfiles_read_localization(iscsid_t)
optional_policy(`
@@ -40050,7 +40178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.
dev_read_sysfs(kdump_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.19/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/libraries.fc 2010-09-24 12:55:11.845386098 +0200
++++ serefpolicy-3.7.19/policy/modules/system/libraries.fc 2010-11-11 16:35:19.332397032 +0100
@@ -127,17 +127,23 @@
/usr/lib64/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -40068,7 +40196,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
-/usr/lib64/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/vlc/plugins/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/vlc/codec/plugins/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib64/vlc/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/vlc/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib64/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libtfmessbsp\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -40087,7 +40215,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
/usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -208,6 +215,7 @@
+@@ -198,8 +205,6 @@
+ /usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib64/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/nx/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -208,6 +213,7 @@
/usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -40095,7 +40232,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
/usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -302,13 +310,8 @@
+@@ -302,13 +308,8 @@
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -40111,7 +40248,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
') dnl end distro_redhat
#
-@@ -319,14 +322,153 @@
+@@ -319,14 +320,153 @@
/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -40262,7 +40399,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
+/usr/lib(64)?/libGTL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/local/lexmark/lxk08/lib(/.*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
++/usr/lib/vlc/plugins/video_filter/libvideo_filter_wrapper_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/nsr/(.*/)?.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/lgtonmc/bin/.*\.so(\.[0-9])? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/picasa/.*\.dll -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -40966,16 +41103,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
## Read the configuration options used when
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.7.19/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/modutils.te 2010-08-10 16:41:48.680085643 +0200
-@@ -19,6 +19,7 @@
++++ serefpolicy-3.7.19/policy/modules/system/modutils.te 2010-11-11 16:53:00.882398885 +0100
+@@ -19,8 +19,12 @@
type insmod_exec_t;
application_domain(insmod_t, insmod_exec_t)
mls_file_write_all_levels(insmod_t)
+mls_process_write_down(insmod_t)
role system_r types insmod_t;
++type insmod_tmpfs_t;
++files_tmpfs_file(insmod_tmpfs_t)
++
# module loading config
-@@ -56,12 +57,14 @@
+ type modules_conf_t;
+ files_type(modules_conf_t)
+@@ -56,12 +60,14 @@
domain_use_interactive_fds(depmod_t)
@@ -40990,7 +41132,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
fs_getattr_xattr_fs(depmod_t)
-@@ -75,6 +78,7 @@
+@@ -75,6 +81,7 @@
# Read System.map from home directories.
files_list_home(depmod_t)
userdom_read_user_home_content_files(depmod_t)
@@ -40998,7 +41140,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
ifdef(`distro_ubuntu',`
optional_policy(`
-@@ -105,7 +109,7 @@
+@@ -105,7 +112,7 @@
# insmod local policy
#
@@ -41007,7 +41149,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
allow insmod_t self:udp_socket create_socket_perms;
-@@ -126,6 +130,7 @@
+@@ -117,6 +124,9 @@
+ list_dirs_pattern(insmod_t, modules_dep_t, modules_dep_t)
+ read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
+
++manage_files_pattern(insmod_t,insmod_tmpfs_t,insmod_tmpfs_t)
++fs_tmpfs_filetrans(insmod_t,insmod_tmpfs_t,file)
++
+ can_exec(insmod_t, insmod_exec_t)
+
+ kernel_load_module(insmod_t)
+@@ -126,6 +136,7 @@
kernel_mount_debugfs(insmod_t)
kernel_mount_kvmfs(insmod_t)
kernel_read_debugfs(insmod_t)
@@ -41015,7 +41167,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
# Rules for /proc/sys/kernel/tainted
kernel_read_kernel_sysctls(insmod_t)
kernel_rw_kernel_sysctl(insmod_t)
-@@ -143,6 +148,7 @@
+@@ -143,6 +154,7 @@
dev_read_sound(insmod_t)
dev_write_sound(insmod_t)
dev_rw_apm_bios(insmod_t)
@@ -41023,7 +41175,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
domain_signal_all_domains(insmod_t)
domain_use_interactive_fds(insmod_t)
-@@ -159,13 +165,17 @@
+@@ -159,13 +171,17 @@
# for locking: (cjp: ????)
files_write_kernel_modules(insmod_t)
@@ -41041,7 +41193,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
logging_send_syslog_msg(insmod_t)
logging_search_logs(insmod_t)
-@@ -174,8 +184,7 @@
+@@ -174,8 +190,7 @@
seutil_read_file_contexts(insmod_t)
@@ -41051,7 +41203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
userdom_dontaudit_search_user_home_dirs(insmod_t)
if( ! secure_mode_insmod ) {
-@@ -236,6 +245,10 @@
+@@ -236,6 +251,10 @@
')
optional_policy(`
@@ -41279,7 +41431,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.19/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/mount.te 2010-10-26 13:46:49.368668089 +0200
++++ serefpolicy-3.7.19/policy/modules/system/mount.te 2010-11-10 09:36:38.851147626 +0100
@@ -18,8 +18,15 @@
init_system_domain(mount_t, mount_exec_t)
role system_r types mount_t;
@@ -41327,7 +41479,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
allow mount_t mount_loopback_t:file read_file_perms;
-@@ -47,30 +69,52 @@
+@@ -47,30 +69,53 @@
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
@@ -41373,6 +41525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
files_manage_etc_runtime_files(mount_t)
files_etc_filetrans_etc_runtime(mount_t, file)
files_mounton_all_mountpoints(mount_t)
++files_setattr_all_mountpoints(mount_t)
+# ntfs-3g checks whether the mountpoint is writable before mounting
+files_write_all_mountpoints(mount_t)
files_unmount_rootfs(mount_t)
@@ -41382,7 +41535,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
files_mount_all_file_type_fs(mount_t)
files_unmount_all_file_type_fs(mount_t)
# for when /etc/mtab loses its type
-@@ -80,15 +124,19 @@
+@@ -80,15 +125,19 @@
files_read_usr_files(mount_t)
files_list_mnt(mount_t)
@@ -41405,7 +41558,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
mls_file_read_all_levels(mount_t)
mls_file_write_all_levels(mount_t)
-@@ -99,6 +147,7 @@
+@@ -99,6 +148,7 @@
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
@@ -41413,7 +41566,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
term_use_all_terms(mount_t)
-@@ -107,6 +156,8 @@
+@@ -107,6 +157,8 @@
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -41422,7 +41575,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
logging_send_syslog_msg(mount_t)
-@@ -117,6 +168,12 @@
+@@ -117,6 +169,12 @@
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
@@ -41435,7 +41588,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
ifdef(`distro_redhat',`
optional_policy(`
-@@ -132,10 +189,17 @@
+@@ -132,10 +190,17 @@
')
')
@@ -41453,7 +41606,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
optional_policy(`
-@@ -165,6 +229,8 @@
+@@ -165,6 +230,8 @@
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -41462,7 +41615,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
optional_policy(`
-@@ -172,6 +238,25 @@
+@@ -172,6 +239,25 @@
')
optional_policy(`
@@ -41488,7 +41641,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -179,6 +264,15 @@
+@@ -179,6 +265,15 @@
')
')
@@ -41504,7 +41657,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
-@@ -186,6 +280,23 @@
+@@ -186,6 +281,23 @@
optional_policy(`
samba_domtrans_smbmount(mount_t)
@@ -41528,7 +41681,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
########################################
-@@ -194,6 +305,42 @@
+@@ -194,6 +306,42 @@
#
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 51461b2..9c10af7 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 70%{?dist}
+Release: 71%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,14 @@ exit 0
%endif
%changelog
+* Fri Nov 12 2010 Miroslav Grepl