diff --git a/policy-F12.patch b/policy-F12.patch index b659de3..a2e0562 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -1827,8 +1827,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.6.32/policy/modules/apps/execmem.fc --- nsaserefpolicy/policy/modules/apps/execmem.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/execmem.fc 2009-10-08 10:58:36.000000000 -0400 -@@ -0,0 +1,34 @@ ++++ serefpolicy-3.6.32/policy/modules/apps/execmem.fc 2009-10-12 09:13:42.000000000 -0400 +@@ -0,0 +1,31 @@ +/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0) @@ -1860,9 +1860,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) + +/usr/lib/wingide-[^/]+/bin/PyCore/python -- gen_context(system_u:object_r:execmem_exec_t,s0) -+ -+/usr/bin/mutter -- gen_context(system_u:object_r:execmem_exec_t,s0) -+ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.6.32/policy/modules/apps/execmem.if --- nsaserefpolicy/policy/modules/apps/execmem.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.32/policy/modules/apps/execmem.if 2009-10-09 10:34:56.000000000 -0400 @@ -1943,7 +1940,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.te serefpolicy-3.6.32/policy/modules/apps/execmem.te --- nsaserefpolicy/policy/modules/apps/execmem.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/execmem.te 2009-10-02 10:36:43.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/apps/execmem.te 2009-10-12 09:19:44.000000000 -0400 @@ -0,0 +1,11 @@ + +policy_module(execmem, 1.0.0) @@ -1953,7 +1950,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# Declarations +# + -+type execmem_exec_t; ++type execmem_exec_t alias unconfined_execmem_exec_t; +application_executable_file(execmem_exec_t) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.fc serefpolicy-3.6.32/policy/modules/apps/firewallgui.fc @@ -3172,8 +3169,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.6.32/policy/modules/apps/nsplugin.fc --- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.fc 2009-09-30 16:12:48.000000000 -0400 -@@ -0,0 +1,12 @@ ++++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.fc 2009-10-12 09:30:06.000000000 -0400 +@@ -0,0 +1,13 @@ +HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) +HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) +HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:nsplugin_home_t,s0) @@ -3183,6 +3180,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) + +/usr/bin/nspluginscan -- gen_context(system_u:object_r:nsplugin_exec_t,s0) ++/usr/bin/nspluginviewer -- gen_context(system_u:object_r:nsplugin_exec_t,s0) +/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0) +/usr/lib(64)?/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0) +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) @@ -10124,7 +10122,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.32/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/apache.te 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/apache.te 2009-10-09 12:09:39.000000000 -0400 @@ -19,6 +19,8 @@ # Declarations # @@ -10692,7 +10690,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_can_network_connect',` allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; -@@ -631,22 +804,30 @@ +@@ -631,22 +804,31 @@ corenet_all_recvfrom_unlabeled(httpd_suexec_t) corenet_all_recvfrom_netlabel(httpd_suexec_t) @@ -10720,6 +10718,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) + manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) + manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) ++ manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) + manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) ') - @@ -10730,7 +10729,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -672,15 +853,14 @@ +@@ -672,15 +854,14 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -10749,7 +10748,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow httpd_sys_script_t httpd_t:tcp_socket { read write }; dontaudit httpd_sys_script_t httpd_config_t:dir search; -@@ -699,12 +879,24 @@ +@@ -699,12 +880,24 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -10776,7 +10775,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -712,6 +904,35 @@ +@@ -712,6 +905,35 @@ fs_read_nfs_symlinks(httpd_sys_script_t) ') @@ -10812,7 +10811,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -724,6 +945,10 @@ +@@ -724,6 +946,10 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -10823,7 +10822,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -735,6 +960,8 @@ +@@ -735,6 +961,8 @@ # httpd_rotatelogs local policy # @@ -10832,7 +10831,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) kernel_read_kernel_sysctls(httpd_rotatelogs_t) -@@ -754,6 +981,12 @@ +@@ -754,6 +982,12 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -10845,7 +10844,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') # allow accessing files/dirs below the users home dir -@@ -762,3 +995,74 @@ +@@ -762,3 +996,74 @@ userdom_search_user_home_dirs(httpd_suexec_t) userdom_search_user_home_dirs(httpd_user_script_t) ') @@ -11409,7 +11408,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.32/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/consolekit.te 2009-10-06 10:15:04.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/consolekit.te 2009-10-11 07:54:38.000000000 -0400 @@ -62,12 +62,15 @@ init_telinit(consolekit_t) @@ -11448,7 +11447,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol policykit_domtrans_auth(consolekit_t) policykit_read_lib(consolekit_t) policykit_read_reload(consolekit_t) -@@ -108,10 +115,19 @@ +@@ -108,10 +115,20 @@ optional_policy(` xserver_read_xdm_pid(consolekit_t) xserver_read_user_xauth(consolekit_t) @@ -11460,6 +11459,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` + udev_domtrans(consolekit_t) ++ udev_read_db(consolekit_t) +') + +optional_policy(` @@ -13211,7 +13211,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.32/policy/modules/services/hal.if --- nsaserefpolicy/policy/modules/services/hal.if 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/hal.if 2009-10-07 14:43:47.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/hal.if 2009-10-11 07:59:31.000000000 -0400 @@ -413,3 +413,21 @@ files_search_pids($1) manage_files_pattern($1, hald_var_run_t, hald_var_run_t) @@ -15409,8 +15409,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.te serefpolicy-3.6.32/policy/modules/services/plymouth.te --- nsaserefpolicy/policy/modules/services/plymouth.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/services/plymouth.te 2009-09-30 16:12:48.000000000 -0400 -@@ -0,0 +1,86 @@ ++++ serefpolicy-3.6.32/policy/modules/services/plymouth.te 2009-10-11 08:00:20.000000000 -0400 +@@ -0,0 +1,92 @@ +policy_module(plymouthd, 1.0.0) + +######################################## @@ -15497,6 +15497,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +miscfiles_read_localization(plymouth_t) + +plymouth_stream_connect(plymouth_t) ++ ++ifdef(`hide_broken_symptoms', ` ++optional_policy(` ++ hal_dontaudit_write_log(plymouth_t) ++') ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.6.32/policy/modules/services/policykit.fc --- nsaserefpolicy/policy/modules/services/policykit.fc 2009-08-18 11:41:14.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/policykit.fc 2009-09-30 16:12:48.000000000 -0400 @@ -26923,7 +26929,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.6.32/policy/modules/system/udev.if --- nsaserefpolicy/policy/modules/system/udev.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/udev.if 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/system/udev.if 2009-10-11 07:54:27.000000000 -0400 @@ -168,4 +168,25 @@ dev_list_all_dev_nodes($1) diff --git a/selinux-policy.spec b/selinux-policy.spec index b5a2460..55214ff 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.32 -Release: 24%{?dist} +Release: 25%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -449,6 +449,11 @@ exit 0 %endif %changelog +* Mon Oct 12 2009 Dan Walsh 3.6.32-25 +- Fix alias for execmem_exec_t +- Dontaudit hal leakage +- Add label for nspluginviewer + * Fri Oct 10 2009 Dan Walsh 3.6.32-24 - Add home_cert_t for labeling of certs in the homedir