diff --git a/policy-20070703.patch b/policy-20070703.patch index b091d97..b6f334e 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -3070,7 +3070,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc +/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.0.8/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/apps/java.if 2008-03-06 11:16:06.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/apps/java.if 2008-03-11 20:02:09.000000000 -0400 @@ -32,7 +32,7 @@ ## ## @@ -3148,7 +3148,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if libs_use_ld_so($1_javaplugin_t) libs_use_shared_libs($1_javaplugin_t) -@@ -134,6 +141,10 @@ +@@ -134,9 +141,13 @@ sysnet_read_config($1_javaplugin_t) @@ -3158,7 +3158,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if + userdom_read_user_tmpfs_files($1,$1_javaplugin_t) userdom_dontaudit_use_user_terminals($1,$1_javaplugin_t) userdom_dontaudit_setattr_user_home_content_files($1,$1_javaplugin_t) - userdom_dontaudit_exec_user_home_content_files($1,$1_javaplugin_t) +- userdom_dontaudit_exec_user_home_content_files($1,$1_javaplugin_t) ++ userdom_exec_user_home_content_files($1,$1_javaplugin_t) + userdom_manage_user_home_content_dirs($1,$1_javaplugin_t) + userdom_manage_user_home_content_files($1,$1_javaplugin_t) + userdom_manage_user_home_content_symlinks($1,$1_javaplugin_t) @@ -147,8 +158,6 @@ tunable_policy(`allow_java_execstack',` allow $1_javaplugin_t self:process execstack; @@ -3168,7 +3172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if libs_legacy_use_shared_libs($1_javaplugin_t) libs_legacy_use_ld_so($1_javaplugin_t) -@@ -166,6 +175,62 @@ +@@ -166,6 +175,63 @@ optional_policy(` xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t) ') @@ -3215,6 +3219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if + domain_interactive_fd($1_java_t) + + userdom_unpriv_usertype($1, $1_java_t) ++ userdom_exec_user_home_content_files($1,$1_java_t) + + allow $1_java_t self:process { getsched sigkill execheap execmem execstack }; + @@ -3231,7 +3236,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if ') ######################################## -@@ -219,3 +284,66 @@ +@@ -219,3 +285,66 @@ corecmd_search_bin($1) domtrans_pattern($1, java_exec_t, java_t) ') @@ -6844,7 +6849,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.8/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/apache.te 2008-01-31 14:31:52.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/apache.te 2008-03-11 19:28:41.000000000 -0400 @@ -1,5 +1,5 @@ -policy_module(apache,1.7.1) @@ -7250,11 +7255,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t) -@@ -686,15 +766,62 @@ +@@ -686,15 +766,63 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) +sysnet_read_config(httpd_sys_script_t) ++sysnet_use_ldap(httpd_bugzilla_script_t) + ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file { getattr append }; @@ -7314,7 +7320,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -707,6 +834,7 @@ +@@ -707,6 +835,7 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -7322,7 +7328,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -728,3 +856,46 @@ +@@ -728,3 +857,46 @@ logging_search_logs(httpd_rotatelogs_t) miscfiles_read_localization(httpd_rotatelogs_t) @@ -19899,7 +19905,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.0.8/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/logging.te 2008-02-15 15:38:47.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/logging.te 2008-03-11 19:41:54.000000000 -0400 @@ -1,5 +1,5 @@ -policy_module(logging,1.7.3) @@ -20068,15 +20074,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin allow syslogd_t syslogd_var_run_t:file manage_file_perms; files_pid_filetrans(syslogd_t,syslogd_var_run_t,file) -@@ -312,6 +357,7 @@ +@@ -300,6 +345,7 @@ + # Allow users to define additional syslog ports to connect to + corenet_tcp_bind_syslogd_port(syslogd_t) + corenet_tcp_connect_syslogd_port(syslogd_t) ++corenet_tcp_connect_mysql_port(syslogd_t) + + # syslog-ng can send or receive logs + corenet_sendrecv_syslogd_client_packets(syslogd_t) +@@ -312,6 +358,8 @@ domain_use_interactive_fds(syslogd_t) files_read_etc_files(syslogd_t) ++files_read_usr_files(syslogd_t) +files_read_var_files(syslogd_t) files_read_etc_runtime_files(syslogd_t) # /initrd is not umounted before minilog starts files_dontaudit_search_isid_type_dirs(syslogd_t) -@@ -341,6 +387,12 @@ +@@ -341,6 +389,12 @@ files_var_lib_filetrans(syslogd_t,devlog_t,sock_file) ') @@ -20089,7 +20104,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin optional_policy(` inn_manage_log(syslogd_t) ') -@@ -365,3 +417,40 @@ +@@ -365,3 +419,40 @@ # log to the xconsole xserver_rw_console(syslogd_t) ') @@ -20143,7 +20158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc /etc/lvm/lock(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.0.8/policy/modules/system/lvm.te --- nsaserefpolicy/policy/modules/system/lvm.te 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/lvm.te 2008-02-27 23:24:15.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/lvm.te 2008-03-11 19:07:04.000000000 -0400 @@ -44,9 +44,9 @@ # Cluster LVM daemon local policy # @@ -20229,7 +20244,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te ') optional_policy(` -@@ -150,7 +163,8 @@ +@@ -150,17 +163,19 @@ # DAC overrides and mknod for modifying /dev entries (vgmknodes) # rawio needed for dmraid @@ -20239,7 +20254,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te dontaudit lvm_t self:capability sys_tty_config; allow lvm_t self:process { sigchld sigkill sigstop signull signal }; # LVM will complain a lot if it cannot set its priority. -@@ -160,7 +174,8 @@ + allow lvm_t self:process setsched; + allow lvm_t self:file rw_file_perms; +-allow lvm_t self:fifo_file rw_file_perms; ++allow lvm_t self:fifo_file manage_fifo_file_perms; allow lvm_t self:unix_dgram_socket create_socket_perms; allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms;