[selinux-policy/f16] Cleanup spec file to match upstream

Daniel J Walsh dwalsh at fedoraproject.org
Fri Aug 5 20:06:56 UTC 2011 

commit 3a6c287d556e7c9aa60fe59ffd28cc6515076124
Author: Dan Walsh <dwalsh at redhat.com>
Date:   Fri Aug 5 16:06:31 2011 -0400

    Cleanup spec file to match upstream

 policy-F16.patch    |  124 +++++++++++++++++++++++++++++++++++++-------------
 selinux-policy.spec |   11 +++-
 2 files changed, 100 insertions(+), 35 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 4f45abe..0d78818 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -18995,7 +18995,7 @@ index 0000000..8b2cdf3
 +
 diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
 new file mode 100644
-index 0000000..fc2c9ec
+index 0000000..db35ff1
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.te
 @@ -0,0 +1,553 @@
@@ -19376,9 +19376,9 @@ index 0000000..fc2c9ec
 +	lpd_run_checkpc(unconfined_t, unconfined_r)
 +')
 +
-+optional_policy(`
-+	mock_role(unconfined_r, unconfined_t)
-+')
++#optional_policy(`
++#	mock_role(unconfined_r, unconfined_t)
++#')
 +
 +optional_policy(`
 +	modutils_run_update_mods(unconfined_t, unconfined_r)
@@ -30908,10 +30908,10 @@ index 9bd812b..c4abec3 100644
  ##	an dnsmasq environment
  ## </summary>
 diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
-index fdaeeba..df87ba8 100644
+index fdaeeba..d707dde 100644
 --- a/policy/modules/services/dnsmasq.te
 +++ b/policy/modules/services/dnsmasq.te
-@@ -48,8 +48,9 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
+@@ -48,11 +48,13 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
  manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t)
  logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file)
  
@@ -30922,7 +30922,11 @@ index fdaeeba..df87ba8 100644
  
  kernel_read_kernel_sysctls(dnsmasq_t)
  kernel_read_system_state(dnsmasq_t)
-@@ -88,6 +89,8 @@ logging_send_syslog_msg(dnsmasq_t)
++kernel_request_load_module(dnsmasq_t)
+ 
+ corenet_all_recvfrom_unlabeled(dnsmasq_t)
+ corenet_all_recvfrom_netlabel(dnsmasq_t)
+@@ -88,6 +90,8 @@ logging_send_syslog_msg(dnsmasq_t)
  
  miscfiles_read_localization(dnsmasq_t)
  
@@ -30931,7 +30935,7 @@ index fdaeeba..df87ba8 100644
  userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
  userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
  
-@@ -96,7 +99,16 @@ optional_policy(`
+@@ -96,7 +100,16 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -30948,7 +30952,7 @@ index fdaeeba..df87ba8 100644
  ')
  
  optional_policy(`
-@@ -114,4 +126,5 @@ optional_policy(`
+@@ -114,4 +127,5 @@ optional_policy(`
  optional_policy(`
  	virt_manage_lib_files(dnsmasq_t)
  	virt_read_pid_files(dnsmasq_t)
@@ -32461,6 +32465,21 @@ index 6537214..7d64c0a 100644
  	ps_process_pattern($1, fetchmail_t)
  
  	files_list_etc($1)
+diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te
+index 3459d93..c39305a 100644
+--- a/policy/modules/services/fetchmail.te
++++ b/policy/modules/services/fetchmail.te
+@@ -88,6 +88,10 @@ userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
+ userdom_dontaudit_search_user_home_dirs(fetchmail_t)
+ 
+ optional_policy(`
++	kerberos_use(fetchmail_t)
++')
++
++optional_policy(`
+ 	procmail_domtrans(fetchmail_t)
+ ')
+ 
 diff --git a/policy/modules/services/finger.te b/policy/modules/services/finger.te
 index 9b7036a..4770f61 100644
 --- a/policy/modules/services/finger.te
@@ -33809,7 +33828,7 @@ index 671d8fd..25c7ab8 100644
 +	dontaudit gnomeclock_t $1:dbus send_msg;
 +')
 diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te
-index 4fde46b..b9032a7 100644
+index 4fde46b..eac72e4 100644
 --- a/policy/modules/services/gnomeclock.te
 +++ b/policy/modules/services/gnomeclock.te
 @@ -9,24 +9,32 @@ type gnomeclock_t;
@@ -33848,7 +33867,7 @@ index 4fde46b..b9032a7 100644
  
  miscfiles_read_localization(gnomeclock_t)
  miscfiles_manage_localization(gnomeclock_t)
-@@ -35,12 +43,51 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
+@@ -35,12 +43,47 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
  userdom_read_all_users_state(gnomeclock_t)
  
  optional_policy(`
@@ -33888,17 +33907,13 @@ index 4fde46b..b9032a7 100644
 +files_dontaudit_remove_etc_dir(gnomeclock_systemctl_t)
 +files_manage_etc_symlinks(gnomeclock_systemctl_t)
 +
-+fs_dontaudit_search_cgroup_dirs(gnomeclock_systemctl_t)
-+
-+# needed by systemctl
-+init_stream_connect(gnomeclock_systemctl_t)
-+init_read_state(gnomeclock_systemctl_t)
-+init_list_pid_dirs(gnomeclock_systemctl_t)
++miscfiles_read_localization(gnomeclock_systemctl_t)
 +
 +systemd_dontaudit_read_unit_files(gnomeclock_systemctl_t)
 +
 +optional_policy(`
-+	ntpd_read_unit_file(gnomeclock_systemctl_t)
++	ntp_read_unit_file(gnomeclock_systemctl_t)
++	ntp_read_state(gnomeclock_systemctl_t)
 +')
 diff --git a/policy/modules/services/gpm.if b/policy/modules/services/gpm.if
 index 7d97298..d6b2959 100644
@@ -35809,7 +35824,7 @@ index 6fd0b4c..b733e45 100644
 -
  ')
 diff --git a/policy/modules/services/ksmtuned.te b/policy/modules/services/ksmtuned.te
-index a73b7a1..7fa55e8 100644
+index a73b7a1..677998f 100644
 --- a/policy/modules/services/ksmtuned.te
 +++ b/policy/modules/services/ksmtuned.te
 @@ -9,6 +9,9 @@ type ksmtuned_t;
@@ -35833,13 +35848,14 @@ index a73b7a1..7fa55e8 100644
  manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t)
  files_pid_filetrans(ksmtuned_t, ksmtuned_var_run_t, file)
  
-@@ -31,9 +38,16 @@ kernel_read_system_state(ksmtuned_t)
+@@ -31,9 +38,17 @@ kernel_read_system_state(ksmtuned_t)
  dev_rw_sysfs(ksmtuned_t)
  
  domain_read_all_domains_state(ksmtuned_t)
 +domain_dontaudit_read_all_domains_state(ksmtuned_t)
  
  corecmd_exec_bin(ksmtuned_t)
++corecmd_exec_shell(ksmtuned_t)
  
  files_read_etc_files(ksmtuned_t)
  
@@ -36274,7 +36290,7 @@ index 49e04e5..69db026 100644
  /usr/sbin/lircd		--	gen_context(system_u:object_r:lircd_exec_t,s0)
  
 diff --git a/policy/modules/services/lircd.te b/policy/modules/services/lircd.te
-index 6a78de1..0aebce6 100644
+index 6a78de1..a32fbe8 100644
 --- a/policy/modules/services/lircd.te
 +++ b/policy/modules/services/lircd.te
 @@ -13,7 +13,7 @@ type lircd_initrc_exec_t;
@@ -36294,7 +36310,7 @@ index 6a78de1..0aebce6 100644
  allow lircd_t self:fifo_file rw_fifo_file_perms;
  allow lircd_t self:unix_dgram_socket create_socket_perms;
  allow lircd_t self:tcp_socket create_stream_socket_perms;
-@@ -44,13 +45,13 @@ corenet_tcp_bind_lirc_port(lircd_t)
+@@ -44,13 +45,14 @@ corenet_tcp_bind_lirc_port(lircd_t)
  corenet_tcp_sendrecv_all_ports(lircd_t)
  corenet_tcp_connect_lirc_port(lircd_t)
  
@@ -36304,6 +36320,7 @@ index 6a78de1..0aebce6 100644
  dev_filetrans_lirc(lircd_t)
  dev_rw_lirc(lircd_t)
  dev_rw_input_dev(lircd_t)
++dev_read_sysfs(lircd_t)
  
 -files_read_etc_files(lircd_t)
 +files_read_config_files(lircd_t)
@@ -40586,7 +40603,7 @@ index e79dccc..50202ef 100644
  /usr/sbin/ntpdate		--	gen_context(system_u:object_r:ntpdate_exec_t,s0)
  
 diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
-index e80f8c0..be0d107 100644
+index e80f8c0..d90ed98 100644
 --- a/policy/modules/services/ntp.if
 +++ b/policy/modules/services/ntp.if
 @@ -98,6 +98,25 @@ interface(`ntp_initrc_domtrans',`
@@ -40603,7 +40620,7 @@ index e80f8c0..be0d107 100644
 +##      </summary>
 +## </param>
 +#
-+interface(`ntpd_read_unit_file',`
++interface(`ntp_read_unit_file',`
 +        gen_require(`
 +                type ntpd_unit_file_t;
 +        ')
@@ -40615,7 +40632,33 @@ index e80f8c0..be0d107 100644
  ########################################
  ## <summary>
  ##	Read and write ntpd shared memory.
-@@ -140,11 +159,10 @@ interface(`ntp_rw_shm',`
+@@ -122,6 +141,25 @@ interface(`ntp_rw_shm',`
+ 
+ ########################################
+ ## <summary>
++##	Allow the domain to read ntpd state files in /proc.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`ntp_read_state',`
++	gen_require(`
++		type ntpd_t;
++	')
++
++	kernel_search_proc($1)
++	ps_process_pattern($1, ntpd_t)
++')
++
++########################################
++## <summary>
+ ##	All of the rules required to administrate
+ ##	an ntp environment
+ ## </summary>
+@@ -140,11 +178,10 @@ interface(`ntp_rw_shm',`
  interface(`ntp_admin',`
  	gen_require(`
  		type ntpd_t, ntpd_tmp_t, ntpd_log_t;
@@ -64720,10 +64763,10 @@ index 0000000..3248032
 +
 diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
 new file mode 100644
-index 0000000..7501ef8
+index 0000000..d46fb42
 --- /dev/null
 +++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,377 @@
+@@ -0,0 +1,376 @@
 +## <summary>SELinux policy for systemd components</summary>
 +
 +#######################################
@@ -64741,17 +64784,16 @@ index 0000000..7501ef8
 +        gen_require(`
 +                type systemd_systemctl_exec_t;
 +                role system_r;
++		attribute systemctl_domain;
 +        ')
 +
-+	type $1_systemctl_t;
++	type $1_systemctl_t, systemctl_domain;
 +	domain_type($1_systemctl_t)
 +	domain_entry_file($1_systemctl_t, systemd_systemctl_exec_t)	
 +
 +	role system_r types $1_systemctl_t;
 +
 +	domtrans_pattern($1_t, systemd_systemctl_exec_t , $1_systemctl_t)
-+
-+	init_use_fds($1_t)
 +')
 +
 +########################################
@@ -65103,10 +65145,10 @@ index 0000000..7501ef8
 +
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..0185280
+index 0000000..d079aca
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,319 @@
+@@ -0,0 +1,337 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -65115,6 +65157,8 @@ index 0000000..0185280
 +#
 +
 +attribute systemd_unit_file_type;
++attribute systemd_domain;
++attribute systemctl_domain;
 +
 +# New in f16
 +permissive systemd_logger_t;
@@ -65426,6 +65470,22 @@ index 0000000..0185280
 +logging_send_syslog_msg(systemd_logger_t)
 +
 +miscfiles_read_localization(systemd_logger_t)
++
++
++########################################
++#
++# systemd_sysctl domains local policy
++#
++fs_list_cgroup_dirs(systemctl_domain)
++fs_read_cgroup_files(systemctl_domain)
++
++# needed by systemctl
++init_stream_connect(systemctl_domain)
++init_read_state(systemctl_domain)
++init_list_pid_dirs(systemctl_domain)
++init_use_fds(systemctl_domain)
++
++miscfiles_read_localization(systemctl_domain)
 diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
 index 0291685..7e94f4b 100644
 --- a/policy/modules/system/udev.fc
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d73f51d..c875d24 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 15%{?dist}
+Release: 16%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -466,8 +466,13 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
-* Wed Aug 3 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-15
-- Fix fc_sort error
+* Thu Aug 4 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-16
+- fetchmail can use kerberos
+- ksmtuned reads in shell programs
+- gnome_systemctl_t reads the process state of ntp
+- dnsmasq_t asks the kernel to load multiple kernel modules
+- Add rules for domains executing systemctl
+- Bogus text within fc file
 
 * Wed Aug 3 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-14
 - Add cfengine policy

More information about the scm-commits mailing list