rpms/selinux-policy/F-12 policy-20100106.patch,1.12,1.13
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Jan 21 17:35:21 UTC 2010
Author: mgrepl
Update of /cvs/pkgs/rpms/selinux-policy/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv23424
Modified Files:
policy-20100106.patch
Log Message:
- gstreamer fixes
policy-20100106.patch:
modules/apps/gnome.fc | 8 ++
modules/apps/gnome.if | 24 ++++----
modules/apps/gnome.te | 6 +-
modules/apps/gpg.fc | 2
modules/apps/gpg.te | 5 -
modules/apps/mozilla.fc | 1
modules/apps/nsplugin.fc | 1
modules/apps/podsleuth.te | 1
modules/apps/sandbox.if | 46 +++++++++++++--
modules/apps/sandbox.te | 29 +++++----
modules/apps/wine.if | 4 +
modules/apps/wine.te | 14 ++++
modules/kernel/corenetwork.te.in | 4 -
modules/kernel/devices.fc | 2
modules/kernel/devices.if | 18 ++++++
modules/kernel/devices.te | 6 ++
modules/roles/unconfineduser.fc | 2
modules/roles/unconfineduser.te | 2
modules/roles/xguest.te | 2
modules/services/abrt.te | 1
modules/services/afs.te | 6 +-
modules/services/apache.if | 3 +
modules/services/apache.te | 2
modules/services/apcupsd.te | 2
modules/services/avahi.fc | 2
modules/services/cups.te | 1
modules/services/dovecot.te | 4 +
modules/services/fail2ban.if | 18 ++++++
modules/services/ftp.if | 37 ++++++++++++
modules/services/ftp.te | 114 +++++++++++++++++++++++++++++++++++++++
modules/services/git.fc | 1
modules/services/git.te | 2
modules/services/kerberos.if | 1
modules/services/memcached.te | 14 +++-
modules/services/nagios.fc | 40 +++++++++++++
modules/services/nagios.te | 3 +
modules/services/openvpn.te | 1
modules/services/postfix.te | 5 +
modules/services/samba.te | 5 +
modules/services/sendmail.te | 2
modules/services/snmp.te | 4 -
modules/services/spamassassin.if | 18 ++++++
modules/services/ssh.te | 80 +--------------------------
modules/services/sssd.fc | 2
modules/services/sssd.if | 85 +++++++++++++++++------------
modules/services/sssd.te | 14 +++-
modules/services/tftp.te | 1
modules/services/virt.te | 4 +
modules/services/xserver.fc | 4 +
modules/services/xserver.te | 3 +
modules/system/hotplug.te | 4 +
modules/system/init.te | 5 +
modules/system/iscsi.fc | 2
modules/system/iscsi.te | 4 +
modules/system/libraries.fc | 7 ++
modules/system/locallogin.te | 5 +
modules/system/miscfiles.if | 19 ++++++
modules/system/mount.te | 1
modules/system/selinuxutil.te | 1
modules/system/unconfined.if | 2
modules/system/userdomain.fc | 1
modules/system/userdomain.if | 18 ++++++
modules/system/xen.te | 6 ++
support/obj_perm_sets.spt | 2
users | 2
65 files changed, 561 insertions(+), 174 deletions(-)
Index: policy-20100106.patch
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-12/policy-20100106.patch,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -p -r1.12 -r1.13
--- policy-20100106.patch 21 Jan 2010 13:37:03 -0000 1.12
+++ policy-20100106.patch 21 Jan 2010 17:35:21 -0000 1.13
@@ -1,3 +1,111 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.6.32/policy/modules/apps/gnome.fc
+--- nsaserefpolicy/policy/modules/apps/gnome.fc 2010-01-18 18:24:22.594539949 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/gnome.fc 2010-01-21 18:31:02.867611919 +0100
+@@ -3,6 +3,14 @@
+ HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+ HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
+ HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
++HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
++
++/root/\.config(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
++/root/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
++/root/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
++/root/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
++/root/\.pulse(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
++/root/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
+
+ /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.32/policy/modules/apps/gnome.if
+--- nsaserefpolicy/policy/modules/apps/gnome.if 2010-01-18 18:24:22.595534558 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/gnome.if 2010-01-21 18:31:10.642612238 +0100
+@@ -84,12 +84,12 @@
+ #
+ interface(`gnome_manage_config',`
+ gen_require(`
+- type gnome_home_t;
++ attribute gnome_home_type;
+ ')
+
+- allow $1 gnome_home_t:dir manage_dir_perms;
+- allow $1 gnome_home_t:file manage_file_perms;
+- allow $1 gnome_home_t:lnk_file manage_lnk_file_perms;
++ allow $1 gnome_home_type:dir manage_dir_perms;
++ allow $1 gnome_home_type:file manage_file_perms;
++ allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
+ userdom_search_user_home_dirs($1)
+ ')
+
+@@ -129,12 +129,12 @@
+ #
+ template(`gnome_read_config',`
+ gen_require(`
+- type gnome_home_t;
++ attribute gnome_home_type;
+ ')
+
+- list_dirs_pattern($1, gnome_home_t, gnome_home_t)
+- read_files_pattern($1, gnome_home_t, gnome_home_t)
+- read_lnk_files_pattern($1, gnome_home_t, gnome_home_t)
++ list_dirs_pattern($1, gnome_home_type, gnome_home_type)
++ read_files_pattern($1, gnome_home_type, gnome_home_type)
++ read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
+ ')
+
+ ########################################
+@@ -255,11 +255,11 @@
+ #
+ interface(`gnome_stream_connect',`
+ gen_require(`
+- type gnome_home_t;
++ attribute gnome_home_type;
+ ')
+
+ # Connect to pulseaudit server
+- stream_connect_pattern($1, gnome_home_t, gnome_home_t, $2)
++ stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
+ ')
+
+ ########################################
+@@ -274,8 +274,8 @@
+ #
+ interface(`gnome_write_inherited_config',`
+ gen_require(`
+- type gnome_home_t;
++ attribute gnome_home_type;
+ ')
+
+- allow $1 gnome_home_t:file rw_inherited_file_perms;
++ allow $1 gnome_home_type:file rw_inherited_file_perms;
+ ')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.6.32/policy/modules/apps/gnome.te
+--- nsaserefpolicy/policy/modules/apps/gnome.te 2010-01-18 18:24:22.596529936 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/gnome.te 2010-01-21 18:31:15.086614286 +0100
+@@ -7,6 +7,7 @@
+ #
+
+ attribute gnomedomain;
++attribute gnome_home_type;
+
+ type gconf_etc_t;
+ files_config_file(gconf_etc_t)
+@@ -31,12 +32,15 @@
+ application_domain(gconfd_t, gconfd_exec_t)
+ ubac_constrained(gconfd_t)
+
+-type gnome_home_t;
++type gnome_home_t, gnome_home_type;
+ typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t };
+ typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t };
+ typealias gnome_home_t alias unconfined_gnome_home_t;
+ userdom_user_home_content(gnome_home_t)
+
++type gstreamer_home_t, gnome_home_type;
++userdom_user_home_content(gstreamer_home_t)
++
+ type gconfdefaultsm_t;
+ type gconfdefaultsm_exec_t;
+ dbus_system_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.6.32/policy/modules/apps/gpg.fc
--- nsaserefpolicy/policy/modules/apps/gpg.fc 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/apps/gpg.fc 2010-01-19 12:03:52.541857693 +0100
@@ -35,6 +143,16 @@ diff -b -B --ignore-all-space --exclude-
/usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.6.32/policy/modules/apps/nsplugin.fc
+--- nsaserefpolicy/policy/modules/apps/nsplugin.fc 2010-01-18 18:24:22.626536127 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.fc 2010-01-21 18:31:18.271612626 +0100
+@@ -1,6 +1,5 @@
+ HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+ HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+-HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:nsplugin_home_t,s0)
+ HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+ HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.6.32/policy/modules/apps/podsleuth.te
--- nsaserefpolicy/policy/modules/apps/podsleuth.te 2010-01-18 18:24:22.631540185 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/podsleuth.te 2010-01-19 11:53:14.080857057 +0100
@@ -708,6 +826,16 @@ diff -b -B --ignore-all-space --exclude-
+ fs_read_nfs_files(sftpd_t)
+ fs_read_nfs_symlinks(ftpd_t)
+')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.6.32/policy/modules/services/git.fc
+--- nsaserefpolicy/policy/modules/services/git.fc 2010-01-18 18:24:22.788540040 +0100
++++ serefpolicy-3.6.32/policy/modules/services/git.fc 2010-01-21 18:32:44.930612521 +0100
+@@ -1,5 +1,6 @@
+ /var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_script_rw_t,s0)
+ /var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
++/var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+
+ /srv/git(/.*)? gen_context(system_u:object_r:git_data_t, s0)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.6.32/policy/modules/services/git.te
--- nsaserefpolicy/policy/modules/services/git.te 2010-01-18 18:24:22.790540016 +0100
+++ serefpolicy-3.6.32/policy/modules/services/git.te 2010-01-18 18:27:02.764531054 +0100
@@ -1438,7 +1566,7 @@ diff -b -B --ignore-all-space --exclude-
/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-01-18 18:24:22.923530253 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-01-18 18:27:02.779530727 +0100
++++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-01-21 18:31:22.661610918 +0100
@@ -301,6 +301,8 @@
manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
@@ -1448,6 +1576,14 @@ diff -b -B --ignore-all-space --exclude-
domain_use_interactive_fds(xauth_t)
dev_rw_xserver_misc(xauth_t)
+@@ -668,6 +670,7 @@
+
+ optional_policy(`
+ gnome_read_gconf_config(xdm_t)
++ gnome_read_config(xdm_t)
+ ')
+
+ optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.6.32/policy/modules/system/hotplug.te
--- nsaserefpolicy/policy/modules/system/hotplug.te 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/system/hotplug.te 2010-01-18 18:27:02.780542727 +0100
More information about the scm-commits
mailing list