From 6af7c13f9165a14404de2a0d360328d69c380395 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Oct 14 2009 19:35:53 +0000 Subject: - Allow plymouthd_t to use frame_buffer --- diff --git a/policy-F12.patch b/policy-F12.patch index 2929da3..ead10a8 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -2137,7 +2137,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.32/policy/modules/apps/gnome.if --- nsaserefpolicy/policy/modules/apps/gnome.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/gnome.if 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/apps/gnome.if 2009-10-14 10:28:56.000000000 -0400 @@ -89,5 +89,175 @@ allow $1 gnome_home_t:dir manage_dir_perms; @@ -5578,7 +5578,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.32/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2009-08-28 14:58:20.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/devices.if 2009-10-01 16:59:38.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/kernel/devices.if 2009-10-14 11:17:02.000000000 -0400 @@ -1692,6 +1692,78 @@ ######################################## @@ -12256,7 +12256,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.32/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/cups.te 2009-10-06 10:24:14.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/cups.te 2009-10-14 10:29:26.000000000 -0400 @@ -23,6 +23,9 @@ type cupsd_initrc_exec_t; init_script_file(cupsd_initrc_exec_t) @@ -12365,7 +12365,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(cups_pdf_t) files_read_etc_files(cups_pdf_t) -@@ -556,6 +577,7 @@ +@@ -556,11 +577,15 @@ miscfiles_read_fonts(cups_pdf_t) userdom_home_filetrans_user_home_dir(cups_pdf_t) @@ -12373,7 +12373,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_manage_user_home_content_dirs(cups_pdf_t) userdom_manage_user_home_content_files(cups_pdf_t) -@@ -601,6 +623,9 @@ + lpd_manage_spool(cups_pdf_t) + ++optional_policy(` ++ gnome_read_config(cups_pdf_t) ++') + + tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(cups_pdf_t) +@@ -601,6 +626,9 @@ read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) files_search_etc(hplip_t) @@ -12970,7 +12978,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.6.32/policy/modules/services/fail2ban.te --- nsaserefpolicy/policy/modules/services/fail2ban.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/fail2ban.te 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/fail2ban.te 2009-10-14 12:53:20.000000000 -0400 @@ -33,6 +33,7 @@ allow fail2ban_t self:process signal; allow fail2ban_t self:fifo_file rw_fifo_file_perms; @@ -12979,6 +12987,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow fail2ban_t self:tcp_socket create_stream_socket_perms; # log files +@@ -79,6 +80,7 @@ + auth_use_nsswitch(fail2ban_t) + + logging_read_all_logs(fail2ban_t) ++logging_send_syslog_msg(fail2ban_t) + + miscfiles_read_localization(fail2ban_t) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.6.32/policy/modules/services/fetchmail.te --- nsaserefpolicy/policy/modules/services/fetchmail.te 2009-08-14 16:14:31.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/fetchmail.te 2009-09-30 16:12:48.000000000 -0400 @@ -15517,8 +15533,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.te serefpolicy-3.6.32/policy/modules/services/plymouth.te --- nsaserefpolicy/policy/modules/services/plymouth.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/services/plymouth.te 2009-10-11 08:00:20.000000000 -0400 -@@ -0,0 +1,92 @@ ++++ serefpolicy-3.6.32/policy/modules/services/plymouth.te 2009-10-14 11:18:02.000000000 -0400 +@@ -0,0 +1,95 @@ +policy_module(plymouthd, 1.0.0) + +######################################## @@ -15563,9 +15579,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +allow plymouthd_t self:unix_stream_socket create_stream_socket_perms; + +kernel_read_system_state(plymouthd_t) ++kernel_request_load_module(plymouthd_t) + +dev_rw_dri(plymouthd_t) +dev_read_sysfs(plymouthd_t) ++dev_read_framebuffer(plymouthd_t) ++dev_write_framebuffer(plymouthd_t) + +domain_use_interactive_fds(plymouthd_t) + diff --git a/selinux-policy.spec b/selinux-policy.spec index dc6ce79..41136ea 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.32 -Release: 26%{?dist} +Release: 27%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -449,8 +449,12 @@ exit 0 %endif %changelog +* Wed Oct 13 2009 Dan Walsh 3.6.32-27 +- Allow plymouthd_t to use frame_buffer + * Tue Oct 13 2009 Dan Walsh 3.6.32-26 - Fix labeling for privoxy config files +- Add devtmpfs file system labeling * Mon Oct 12 2009 Dan Walsh 3.6.32-25 - Fix alias for execmem_exec_t