rpms/selinux-policy/F-12 policy-20100106.patch, 1.8, 1.9 selinux-policy.spec, 1.997, 1.998
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Jan 19 16:50:13 UTC 2010
- Previous message: rpms/kernel/F-11 patch-2.6.32.4.bz2.sign, NONE, 1.1 .cvsignore, 1.1063, 1.1064 kernel.spec, 1.1797, 1.1798 sources, 1.1025, 1.1026 upstream, 1.936, 1.937 linux-2.6-intel-agp-clear-gtt.patch, 1.1, NONE patch-2.6.32.3.bz2.sign, 1.1, NONE patch-2.6.32.4-rc1.bz2.sign, 1.1, NONE
- Next message: rpms/rb_libtorrent/devel .cvsignore, 1.11, 1.12 rb_libtorrent.spec, 1.29, 1.30 sources, 1.11, 1.12
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: mgrepl
Update of /cvs/pkgs/rpms/selinux-policy/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv28042
Modified Files:
policy-20100106.patch selinux-policy.spec
Log Message:
- Fixes for sssd from Dan Walsh
- Allow snmpd chown capability
policy-20100106.patch:
modules/apps/gpg.fc | 2
modules/apps/mozilla.fc | 1
modules/apps/podsleuth.te | 1
modules/apps/sandbox.if | 46 +++++++++++++--
modules/apps/sandbox.te | 29 +++++----
modules/apps/wine.if | 4 +
modules/apps/wine.te | 14 ++++
modules/kernel/corenetwork.te.in | 4 -
modules/kernel/devices.fc | 2
modules/kernel/devices.if | 18 ++++++
modules/kernel/devices.te | 6 ++
modules/roles/unconfineduser.fc | 2
modules/roles/unconfineduser.te | 2
modules/roles/xguest.te | 2
modules/services/abrt.te | 1
modules/services/apache.if | 3 +
modules/services/apache.te | 2
modules/services/apcupsd.te | 2
modules/services/avahi.fc | 2
modules/services/cups.te | 1
modules/services/dovecot.te | 4 +
modules/services/fail2ban.if | 18 ++++++
modules/services/ftp.if | 37 ++++++++++++
modules/services/ftp.te | 114 +++++++++++++++++++++++++++++++++++++++
modules/services/git.te | 2
modules/services/kerberos.if | 1
modules/services/memcached.te | 14 +++-
modules/services/nagios.fc | 40 +++++++++++++
modules/services/nagios.te | 3 +
modules/services/openvpn.te | 1
modules/services/postfix.te | 5 +
modules/services/samba.te | 5 +
modules/services/sendmail.te | 2
modules/services/snmp.te | 4 -
modules/services/spamassassin.if | 18 ++++++
modules/services/ssh.te | 80 +--------------------------
modules/services/sssd.fc | 2
modules/services/sssd.if | 85 +++++++++++++++++------------
modules/services/sssd.te | 14 +++-
modules/services/tftp.te | 1
modules/services/virt.te | 4 +
modules/services/xserver.fc | 4 +
modules/services/xserver.te | 2
modules/system/hotplug.te | 4 +
modules/system/init.te | 5 +
modules/system/iscsi.fc | 2
modules/system/iscsi.te | 4 +
modules/system/libraries.fc | 7 ++
modules/system/miscfiles.if | 19 ++++++
modules/system/mount.te | 1
modules/system/selinuxutil.te | 1
modules/system/unconfined.if | 2
modules/system/userdomain.fc | 1
modules/system/userdomain.if | 18 ++++++
modules/system/xen.te | 6 ++
support/obj_perm_sets.spt | 2
users | 2
57 files changed, 526 insertions(+), 152 deletions(-)
Index: policy-20100106.patch
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-12/policy-20100106.patch,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -p -r1.8 -r1.9
--- policy-20100106.patch 19 Jan 2010 11:38:59 -0000 1.8
+++ policy-20100106.patch 19 Jan 2010 16:50:13 -0000 1.9
@@ -677,6 +677,17 @@ diff -b -B --ignore-all-space --exclude-
allow gitd_type self:udp_socket create_socket_perms;
allow gitd_type self:unix_dgram_socket create_socket_perms;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.6.32/policy/modules/services/kerberos.if
+--- nsaserefpolicy/policy/modules/services/kerberos.if 2010-01-18 18:24:22.799531033 +0100
++++ serefpolicy-3.6.32/policy/modules/services/kerberos.if 2010-01-19 17:08:35.663632666 +0100
+@@ -86,6 +86,7 @@
+
+ optional_policy(`
+ sssd_read_config_files($1)
++ sssd_read_public_files($1)
+ ')
+
+ tunable_policy(`allow_kerberos',`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.6.32/policy/modules/services/memcached.te
--- nsaserefpolicy/policy/modules/services/memcached.te 2010-01-18 18:24:22.809536705 +0100
+++ serefpolicy-3.6.32/policy/modules/services/memcached.te 2010-01-19 11:45:44.999857263 +0100
@@ -883,10 +894,13 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.6.32/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te 2010-01-18 18:24:22.892539860 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/snmp.te 2010-01-18 18:27:02.772530814 +0100
-@@ -27,7 +27,7 @@
++++ serefpolicy-3.6.32/policy/modules/services/snmp.te 2010-01-19 14:20:15.303858953 +0100
+@@ -25,9 +25,9 @@
+ #
+ # Local policy
#
- allow snmpd_t self:capability { dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config };
+-allow snmpd_t self:capability { dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config };
++allow snmpd_t self:capability { chown dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config };
dontaudit snmpd_t self:capability { sys_module sys_tty_config };
-allow snmpd_t self:process { signal_perms getsched setsched };
+allow snmpd_t self:process { signal signal_perms getsched setsched };
@@ -1029,35 +1043,296 @@ diff -b -B --ignore-all-space --exclude-
- fs_manage_cifs_dirs(sftpd_t)
- fs_manage_cifs_files(sftpd_t)
-')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.32/policy/modules/services/sssd.fc
+--- nsaserefpolicy/policy/modules/services/sssd.fc 2010-01-18 18:24:22.900529842 +0100
++++ serefpolicy-3.6.32/policy/modules/services/sssd.fc 2010-01-19 17:08:41.212631842 +0100
+@@ -4,6 +4,8 @@
+
+ /var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
+
++/var/lib/sss/pubconf(/.*)? gen_context(system_u:object_r:sssd_public_t,s0)
++
+ /var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
+
+ /var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.32/policy/modules/services/sssd.if
--- nsaserefpolicy/policy/modules/services/sssd.if 2010-01-18 18:24:22.901529830 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/sssd.if 2010-01-18 18:27:02.775542370 +0100
-@@ -95,6 +95,25 @@
- files_search_var_lib($1)
- ')
++++ serefpolicy-3.6.32/policy/modules/services/sssd.if 2010-01-19 17:08:45.945631552 +0100
+@@ -12,8 +12,7 @@
+ #
+ interface(`sssd_domtrans',`
+ gen_require(`
+- type sssd_t;
+- type sssd_exec_t;
++ type sssd_t, sssd_exec_t;
+ ')
-+#######################################
-+## <summary>
-+## Dontaudit search sssd lib directories.
+ domtrans_pattern($1, sssd_exec_t, sssd_t)
+@@ -26,7 +25,7 @@
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## The type of the process performing this action.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+@@ -40,6 +39,25 @@
+
+ ########################################
+ ## <summary>
++## Read sssd public files.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`sssd_dontaudit_search_lib',`
-+ gen_require(`
-+ type sssd_var_lib_t;
-+ ')
++interface(`sssd_read_public_files',`
++ gen_require(`
++ type sssd_public_t;
++ ')
+
-+ dontaudit $1 sssd_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
++ sssd_search_lib($1)
++ read_files_pattern($1, sssd_public_t, sssd_public_t)
+')
+
++########################################
++## <summary>
+ ## Read sssd PID files.
+ ## </summary>
+ ## <param name="domain">
+@@ -59,7 +77,7 @@
+
+ ########################################
+ ## <summary>
+-## Manage sssd var_run files.
++## Read sssd config files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -67,18 +85,18 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`sssd_manage_pids',`
++interface(`sssd_read_config_files',`
+ gen_require(`
+- type sssd_var_run_t;
++ type sssd_config_t;
+ ')
+
+- manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t)
+- manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t)
++ sssd_search_lib($1)
++ read_files_pattern($1, sssd_config_t, sssd_config_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Search sssd lib directories.
++## Manage sssd var_run files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -86,18 +104,18 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`sssd_search_lib',`
++interface(`sssd_manage_pids',`
+ gen_require(`
+- type sssd_var_lib_t;
++ type sssd_var_run_t;
+ ')
+
+- allow $1 sssd_var_lib_t:dir search_dir_perms;
+- files_search_var_lib($1)
++ manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t)
++ manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t)
+ ')
+
########################################
## <summary>
- ## Read sssd lib files.
+-## Read sssd lib files.
++## Search sssd lib directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -105,18 +123,18 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`sssd_read_lib_files',`
++interface(`sssd_search_lib',`
+ gen_require(`
+ type sssd_var_lib_t;
+ ')
+
++ allow $1 sssd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+- read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read sssd config files.
++## dontaudit search sssd lib directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -124,19 +142,18 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`sssd_read_config_files',`
++interface(`sssd_dontaudit_search_lib',`
+ gen_require(`
+- type sssd_config_t;
++ type sssd_var_lib_t;
+ ')
+
+- sssd_search_lib($1)
+- read_files_pattern($1, sssd_config_t, sssd_config_t)
++ dontaudit $1 sssd_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## sssd lib files.
++## Read sssd lib files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -144,18 +161,19 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`sssd_manage_lib_files',`
++interface(`sssd_read_lib_files',`
+ gen_require(`
+ type sssd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+- manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
++ read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Manage sssd var_lib files.
++## Create, read, write, and delete
++## sssd lib files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -163,17 +181,15 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`sssd_manage_var_lib',`
++interface(`sssd_manage_lib_files',`
+ gen_require(`
+ type sssd_var_lib_t;
+ ')
+
+- manage_dirs_pattern($1,sssd_var_lib_t,sssd_var_lib_t)
++ files_search_var_lib($1)
+ manage_files_pattern($1,sssd_var_lib_t,sssd_var_lib_t)
+- manage_lnk_files_pattern($1,sssd_var_lib_t,sssd_var_lib_t)
+ ')
+
+-
+ ########################################
+ ## <summary>
+ ## Send and receive messages from
+@@ -238,16 +254,13 @@
+ #
+ interface(`sssd_admin',`
+ gen_require(`
+- type sssd_t;
++ type sssd_t, sssd_public_t;
++ type sssd_initrc_exec_t;
+ ')
+
+ allow $1 sssd_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, sssd_t, sssd_t)
+
+- gen_require(`
+- type sssd_initrc_exec_t;
+- ')
+-
+ # Allow sssd_t to restart the apache service
+ sssd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+@@ -257,4 +270,6 @@
+ sssd_manage_pids($1)
+
+ sssd_manage_lib_files($1)
++
++ admin_pattern($1, sssd_public_t)
+ ')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.32/policy/modules/services/sssd.te
+--- nsaserefpolicy/policy/modules/services/sssd.te 2010-01-18 18:24:22.901529830 +0100
++++ serefpolicy-3.6.32/policy/modules/services/sssd.te 2010-01-19 17:08:54.487643800 +0100
+@@ -1,5 +1,5 @@
+
+-policy_module(sssd, 1.0.0)
++policy_module(sssd, 1.0.1)
+
+ ########################################
+ #
+@@ -13,6 +13,9 @@
+ type sssd_initrc_exec_t;
+ init_script_file(sssd_initrc_exec_t)
+
++type sssd_public_t;
++files_pid_file(sssd_public_t)
++
+ type sssd_var_lib_t;
+ files_type(sssd_var_lib_t)
+
+@@ -31,6 +34,9 @@
+ allow sssd_t self:fifo_file rw_file_perms;
+ allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
++manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
++manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
++
+ manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
+ manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
+ manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
+@@ -43,8 +49,6 @@
+ manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
+ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
+
+-fs_list_inotifyfs(sssd_t)
+-
+ kernel_read_system_state(sssd_t)
+
+ corecmd_exec_bin(sssd_t)
+@@ -58,6 +62,8 @@
+ files_read_etc_files(sssd_t)
+ files_read_usr_files(sssd_t)
+
++fs_list_inotifyfs(sssd_t)
++
+ auth_use_nsswitch(sssd_t)
+ auth_domtrans_chk_passwd(sssd_t)
+ auth_domtrans_upd_passwd(sssd_t)
+@@ -69,7 +75,7 @@
+
+ miscfiles_read_localization(sssd_t)
+
+-userdom_manage_tmp_role(system_t, sssd_t)
++userdom_manage_tmp_role(system_r, sssd_t)
+
+ optional_policy(`
+ dbus_system_bus_client(sssd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.6.32/policy/modules/services/tftp.te
--- nsaserefpolicy/policy/modules/services/tftp.te 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/tftp.te 2010-01-19 12:02:02.773609654 +0100
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-12/selinux-policy.spec,v
retrieving revision 1.997
retrieving revision 1.998
diff -u -p -r1.997 -r1.998
--- selinux-policy.spec 19 Jan 2010 11:38:59 -0000 1.997
+++ selinux-policy.spec 19 Jan 2010 16:50:13 -0000 1.998
@@ -460,6 +460,8 @@ exit 0
- Fixes for memcached from Dan Walsh
- Allow podsleuth to read user tmpfs files
- Allow tftpd to read system state information in proc
+- Fixes for sssd from Dan Walsh
+- Allow snmpd chown capability
* Fri Jan 15 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-71
- Allow hotplug to transition to brctl domain
- Previous message: rpms/kernel/F-11 patch-2.6.32.4.bz2.sign, NONE, 1.1 .cvsignore, 1.1063, 1.1064 kernel.spec, 1.1797, 1.1798 sources, 1.1025, 1.1026 upstream, 1.936, 1.937 linux-2.6-intel-agp-clear-gtt.patch, 1.1, NONE patch-2.6.32.3.bz2.sign, 1.1, NONE patch-2.6.32.4-rc1.bz2.sign, 1.1, NONE
- Next message: rpms/rb_libtorrent/devel .cvsignore, 1.11, 1.12 rb_libtorrent.spec, 1.29, 1.30 sources, 1.11, 1.12
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list