[selinux-policy/f16] Cleanup spec file to match upstream
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Aug 5 20:06:56 UTC 2011
commit 3a6c287d556e7c9aa60fe59ffd28cc6515076124
Author: Dan Walsh <dwalsh at redhat.com>
Date: Fri Aug 5 16:06:31 2011 -0400
Cleanup spec file to match upstream
policy-F16.patch | 124 +++++++++++++++++++++++++++++++++++++-------------
selinux-policy.spec | 11 +++-
2 files changed, 100 insertions(+), 35 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 4f45abe..0d78818 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -18995,7 +18995,7 @@ index 0000000..8b2cdf3
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..fc2c9ec
+index 0000000..db35ff1
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
@@ -0,0 +1,553 @@
@@ -19376,9 +19376,9 @@ index 0000000..fc2c9ec
+ lpd_run_checkpc(unconfined_t, unconfined_r)
+')
+
-+optional_policy(`
-+ mock_role(unconfined_r, unconfined_t)
-+')
++#optional_policy(`
++# mock_role(unconfined_r, unconfined_t)
++#')
+
+optional_policy(`
+ modutils_run_update_mods(unconfined_t, unconfined_r)
@@ -30908,10 +30908,10 @@ index 9bd812b..c4abec3 100644
## an dnsmasq environment
## </summary>
diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
-index fdaeeba..df87ba8 100644
+index fdaeeba..d707dde 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
-@@ -48,8 +48,9 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
+@@ -48,11 +48,13 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t)
logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file)
@@ -30922,7 +30922,11 @@ index fdaeeba..df87ba8 100644
kernel_read_kernel_sysctls(dnsmasq_t)
kernel_read_system_state(dnsmasq_t)
-@@ -88,6 +89,8 @@ logging_send_syslog_msg(dnsmasq_t)
++kernel_request_load_module(dnsmasq_t)
+
+ corenet_all_recvfrom_unlabeled(dnsmasq_t)
+ corenet_all_recvfrom_netlabel(dnsmasq_t)
+@@ -88,6 +90,8 @@ logging_send_syslog_msg(dnsmasq_t)
miscfiles_read_localization(dnsmasq_t)
@@ -30931,7 +30935,7 @@ index fdaeeba..df87ba8 100644
userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
-@@ -96,7 +99,16 @@ optional_policy(`
+@@ -96,7 +100,16 @@ optional_policy(`
')
optional_policy(`
@@ -30948,7 +30952,7 @@ index fdaeeba..df87ba8 100644
')
optional_policy(`
-@@ -114,4 +126,5 @@ optional_policy(`
+@@ -114,4 +127,5 @@ optional_policy(`
optional_policy(`
virt_manage_lib_files(dnsmasq_t)
virt_read_pid_files(dnsmasq_t)
@@ -32461,6 +32465,21 @@ index 6537214..7d64c0a 100644
ps_process_pattern($1, fetchmail_t)
files_list_etc($1)
+diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te
+index 3459d93..c39305a 100644
+--- a/policy/modules/services/fetchmail.te
++++ b/policy/modules/services/fetchmail.te
+@@ -88,6 +88,10 @@ userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
+ userdom_dontaudit_search_user_home_dirs(fetchmail_t)
+
+ optional_policy(`
++ kerberos_use(fetchmail_t)
++')
++
++optional_policy(`
+ procmail_domtrans(fetchmail_t)
+ ')
+
diff --git a/policy/modules/services/finger.te b/policy/modules/services/finger.te
index 9b7036a..4770f61 100644
--- a/policy/modules/services/finger.te
@@ -33809,7 +33828,7 @@ index 671d8fd..25c7ab8 100644
+ dontaudit gnomeclock_t $1:dbus send_msg;
+')
diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te
-index 4fde46b..b9032a7 100644
+index 4fde46b..eac72e4 100644
--- a/policy/modules/services/gnomeclock.te
+++ b/policy/modules/services/gnomeclock.te
@@ -9,24 +9,32 @@ type gnomeclock_t;
@@ -33848,7 +33867,7 @@ index 4fde46b..b9032a7 100644
miscfiles_read_localization(gnomeclock_t)
miscfiles_manage_localization(gnomeclock_t)
-@@ -35,12 +43,51 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
+@@ -35,12 +43,47 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
userdom_read_all_users_state(gnomeclock_t)
optional_policy(`
@@ -33888,17 +33907,13 @@ index 4fde46b..b9032a7 100644
+files_dontaudit_remove_etc_dir(gnomeclock_systemctl_t)
+files_manage_etc_symlinks(gnomeclock_systemctl_t)
+
-+fs_dontaudit_search_cgroup_dirs(gnomeclock_systemctl_t)
-+
-+# needed by systemctl
-+init_stream_connect(gnomeclock_systemctl_t)
-+init_read_state(gnomeclock_systemctl_t)
-+init_list_pid_dirs(gnomeclock_systemctl_t)
++miscfiles_read_localization(gnomeclock_systemctl_t)
+
+systemd_dontaudit_read_unit_files(gnomeclock_systemctl_t)
+
+optional_policy(`
-+ ntpd_read_unit_file(gnomeclock_systemctl_t)
++ ntp_read_unit_file(gnomeclock_systemctl_t)
++ ntp_read_state(gnomeclock_systemctl_t)
+')
diff --git a/policy/modules/services/gpm.if b/policy/modules/services/gpm.if
index 7d97298..d6b2959 100644
@@ -35809,7 +35824,7 @@ index 6fd0b4c..b733e45 100644
-
')
diff --git a/policy/modules/services/ksmtuned.te b/policy/modules/services/ksmtuned.te
-index a73b7a1..7fa55e8 100644
+index a73b7a1..677998f 100644
--- a/policy/modules/services/ksmtuned.te
+++ b/policy/modules/services/ksmtuned.te
@@ -9,6 +9,9 @@ type ksmtuned_t;
@@ -35833,13 +35848,14 @@ index a73b7a1..7fa55e8 100644
manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t)
files_pid_filetrans(ksmtuned_t, ksmtuned_var_run_t, file)
-@@ -31,9 +38,16 @@ kernel_read_system_state(ksmtuned_t)
+@@ -31,9 +38,17 @@ kernel_read_system_state(ksmtuned_t)
dev_rw_sysfs(ksmtuned_t)
domain_read_all_domains_state(ksmtuned_t)
+domain_dontaudit_read_all_domains_state(ksmtuned_t)
corecmd_exec_bin(ksmtuned_t)
++corecmd_exec_shell(ksmtuned_t)
files_read_etc_files(ksmtuned_t)
@@ -36274,7 +36290,7 @@ index 49e04e5..69db026 100644
/usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0)
diff --git a/policy/modules/services/lircd.te b/policy/modules/services/lircd.te
-index 6a78de1..0aebce6 100644
+index 6a78de1..a32fbe8 100644
--- a/policy/modules/services/lircd.te
+++ b/policy/modules/services/lircd.te
@@ -13,7 +13,7 @@ type lircd_initrc_exec_t;
@@ -36294,7 +36310,7 @@ index 6a78de1..0aebce6 100644
allow lircd_t self:fifo_file rw_fifo_file_perms;
allow lircd_t self:unix_dgram_socket create_socket_perms;
allow lircd_t self:tcp_socket create_stream_socket_perms;
-@@ -44,13 +45,13 @@ corenet_tcp_bind_lirc_port(lircd_t)
+@@ -44,13 +45,14 @@ corenet_tcp_bind_lirc_port(lircd_t)
corenet_tcp_sendrecv_all_ports(lircd_t)
corenet_tcp_connect_lirc_port(lircd_t)
@@ -36304,6 +36320,7 @@ index 6a78de1..0aebce6 100644
dev_filetrans_lirc(lircd_t)
dev_rw_lirc(lircd_t)
dev_rw_input_dev(lircd_t)
++dev_read_sysfs(lircd_t)
-files_read_etc_files(lircd_t)
+files_read_config_files(lircd_t)
@@ -40586,7 +40603,7 @@ index e79dccc..50202ef 100644
/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
-index e80f8c0..be0d107 100644
+index e80f8c0..d90ed98 100644
--- a/policy/modules/services/ntp.if
+++ b/policy/modules/services/ntp.if
@@ -98,6 +98,25 @@ interface(`ntp_initrc_domtrans',`
@@ -40603,7 +40620,7 @@ index e80f8c0..be0d107 100644
+## </summary>
+## </param>
+#
-+interface(`ntpd_read_unit_file',`
++interface(`ntp_read_unit_file',`
+ gen_require(`
+ type ntpd_unit_file_t;
+ ')
@@ -40615,7 +40632,33 @@ index e80f8c0..be0d107 100644
########################################
## <summary>
## Read and write ntpd shared memory.
-@@ -140,11 +159,10 @@ interface(`ntp_rw_shm',`
+@@ -122,6 +141,25 @@ interface(`ntp_rw_shm',`
+
+ ########################################
+ ## <summary>
++## Allow the domain to read ntpd state files in /proc.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ntp_read_state',`
++ gen_require(`
++ type ntpd_t;
++ ')
++
++ kernel_search_proc($1)
++ ps_process_pattern($1, ntpd_t)
++')
++
++########################################
++## <summary>
+ ## All of the rules required to administrate
+ ## an ntp environment
+ ## </summary>
+@@ -140,11 +178,10 @@ interface(`ntp_rw_shm',`
interface(`ntp_admin',`
gen_require(`
type ntpd_t, ntpd_tmp_t, ntpd_log_t;
@@ -64720,10 +64763,10 @@ index 0000000..3248032
+
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..7501ef8
+index 0000000..d46fb42
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,377 @@
+@@ -0,0 +1,376 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -64741,17 +64784,16 @@ index 0000000..7501ef8
+ gen_require(`
+ type systemd_systemctl_exec_t;
+ role system_r;
++ attribute systemctl_domain;
+ ')
+
-+ type $1_systemctl_t;
++ type $1_systemctl_t, systemctl_domain;
+ domain_type($1_systemctl_t)
+ domain_entry_file($1_systemctl_t, systemd_systemctl_exec_t)
+
+ role system_r types $1_systemctl_t;
+
+ domtrans_pattern($1_t, systemd_systemctl_exec_t , $1_systemctl_t)
-+
-+ init_use_fds($1_t)
+')
+
+########################################
@@ -65103,10 +65145,10 @@ index 0000000..7501ef8
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..0185280
+index 0000000..d079aca
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,319 @@
+@@ -0,0 +1,337 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -65115,6 +65157,8 @@ index 0000000..0185280
+#
+
+attribute systemd_unit_file_type;
++attribute systemd_domain;
++attribute systemctl_domain;
+
+# New in f16
+permissive systemd_logger_t;
@@ -65426,6 +65470,22 @@ index 0000000..0185280
+logging_send_syslog_msg(systemd_logger_t)
+
+miscfiles_read_localization(systemd_logger_t)
++
++
++########################################
++#
++# systemd_sysctl domains local policy
++#
++fs_list_cgroup_dirs(systemctl_domain)
++fs_read_cgroup_files(systemctl_domain)
++
++# needed by systemctl
++init_stream_connect(systemctl_domain)
++init_read_state(systemctl_domain)
++init_list_pid_dirs(systemctl_domain)
++init_use_fds(systemctl_domain)
++
++miscfiles_read_localization(systemctl_domain)
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 0291685..7e94f4b 100644
--- a/policy/modules/system/udev.fc
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d73f51d..c875d24 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 15%{?dist}
+Release: 16%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,8 +466,13 @@ SELinux Reference policy mls base module.
%endif
%changelog
-* Wed Aug 3 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-15
-- Fix fc_sort error
+* Thu Aug 4 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-16
+- fetchmail can use kerberos
+- ksmtuned reads in shell programs
+- gnome_systemctl_t reads the process state of ntp
+- dnsmasq_t asks the kernel to load multiple kernel modules
+- Add rules for domains executing systemctl
+- Bogus text within fc file
* Wed Aug 3 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-14
- Add cfengine policy
More information about the scm-commits
mailing list