rpms/selinux-policy/F-7 policy-20070501.patch, 1.49, 1.50 selinux-policy.spec, 1.489, 1.490
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Mon Aug 20 22:22:39 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv31368
Modified Files:
policy-20070501.patch selinux-policy.spec
Log Message:
* Mon Aug 20 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-39
- Allow rpcd to write to sysctl_fs_t
policy-20070501.patch:
Index: policy-20070501.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/policy-20070501.patch,v
retrieving revision 1.49
retrieving revision 1.50
diff -u -r1.49 -r1.50
--- policy-20070501.patch 14 Aug 2007 13:44:27 -0000 1.49
+++ policy-20070501.patch 20 Aug 2007 22:22:36 -0000 1.50
@@ -2795,7 +2795,7 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-2.6.4/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/apache.fc 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/apache.fc 2007-08-20 15:01:13.000000000 -0400
@@ -1,10 +1,5 @@
# temporary hack till genhomedircon is fixed
-ifdef(`targeted_policy',`
@@ -2826,7 +2826,7 @@
+/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_script_rw_t,s0)
+#viewvc file context
+/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t, s0)
-+
++/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-2.6.4/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2007-05-07 14:51:01.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/apache.if 2007-08-13 19:33:33.000000000 -0400
@@ -3080,7 +3080,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.6.4/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/apache.te 2007-08-14 06:47:44.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/apache.te 2007-08-20 15:05:12.000000000 -0400
@@ -1,5 +1,5 @@
-policy_module(apache,1.6.0)
@@ -3285,16 +3285,18 @@
')
optional_policy(`
-@@ -606,6 +672,8 @@
+@@ -606,6 +672,10 @@
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
++can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
++
+auth_use_nsswitch(httpd_suexec_t)
+
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -668,6 +736,12 @@
+@@ -668,6 +738,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -3307,7 +3309,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -685,18 +759,6 @@
+@@ -685,18 +761,6 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -3326,7 +3328,7 @@
########################################
#
# Apache system script local policy
-@@ -706,7 +768,8 @@
+@@ -706,7 +770,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -3336,7 +3338,7 @@
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -720,21 +783,64 @@
+@@ -720,21 +785,64 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -3406,7 +3408,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -754,14 +860,8 @@
+@@ -754,14 +862,8 @@
# Apache unconfined script local policy
#
@@ -3422,7 +3424,7 @@
')
########################################
-@@ -784,7 +884,26 @@
+@@ -784,7 +886,26 @@
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -3724,7 +3726,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-2.6.4/policy/modules/services/bind.te
--- nsaserefpolicy/policy/modules/services/bind.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/bind.te 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/bind.te 2007-08-20 15:53:18.000000000 -0400
@@ -119,6 +119,10 @@
corenet_sendrecv_rndc_server_packets(named_t)
corenet_sendrecv_rndc_client_packets(named_t)
@@ -3736,7 +3738,27 @@
dev_read_sysfs(named_t)
dev_read_rand(named_t)
-@@ -236,6 +240,7 @@
+@@ -159,6 +163,8 @@
+ manage_lnk_files_pattern(named_t,named_zone_t,named_zone_t)
+ ')
+
++auth_use_nsswitch(named_t)
++
+ optional_policy(`
+ gen_require(`
+ class dbus send_msg;
+@@ -180,6 +186,10 @@
+ ')
+
+ optional_policy(`
++ kerberos_use(named_t)
++')
++
++optional_policy(`
+ # this seems like fds that arent being
+ # closed. these should probably be
+ # dontaudits instead.
+@@ -236,6 +246,7 @@
corenet_tcp_sendrecv_all_nodes(ndc_t)
corenet_tcp_sendrecv_all_ports(ndc_t)
corenet_tcp_connect_rndc_port(ndc_t)
@@ -7060,7 +7082,7 @@
fs_search_auto_mountpoints($1_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-2.6.4/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/rpc.te 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/rpc.te 2007-08-20 14:56:56.000000000 -0400
@@ -59,10 +59,14 @@
manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
@@ -7071,7 +7093,7 @@
kernel_search_network_state(rpcd_t)
# for rpc.rquotad
kernel_read_sysctl(rpcd_t)
-+kernel_read_fs_sysctls(rpcd_t)
++kernel_rw_fs_sysctls(rpcd_t)
+kernel_getattr_core_if(nfsd_t)
fs_list_rpc(rpcd_t)
@@ -9438,7 +9460,7 @@
# vmware
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-2.6.4/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/libraries.te 2007-08-13 07:21:34.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/libraries.te 2007-08-20 17:13:12.000000000 -0400
@@ -55,14 +55,15 @@
# ldconfig local policy
#
@@ -9465,7 +9487,16 @@
files_search_var_lib(ldconfig_t)
files_read_etc_files(ldconfig_t)
files_search_tmp(ldconfig_t)
-@@ -99,8 +101,9 @@
+@@ -81,6 +83,8 @@
+
+ init_use_script_ptys(ldconfig_t)
+
++corecmd_search_bin(ldconfig_t)
++
+ libs_use_ld_so(ldconfig_t)
+ libs_use_shared_libs(ldconfig_t)
+
+@@ -99,8 +103,9 @@
ifdef(`targeted_policy',`
allow ldconfig_t lib_t:file read_file_perms;
files_read_generic_tmp_symlinks(ldconfig_t)
@@ -9477,7 +9508,7 @@
')
optional_policy(`
-@@ -113,4 +116,6 @@
+@@ -113,4 +118,6 @@
# and executes ldconfig on it. If you dont allow this kernel installs
# blow up.
rpm_manage_script_tmp_files(ldconfig_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/selinux-policy.spec,v
retrieving revision 1.489
retrieving revision 1.490
diff -u -r1.489 -r1.490
--- selinux-policy.spec 14 Aug 2007 13:44:27 -0000 1.489
+++ selinux-policy.spec 20 Aug 2007 22:22:36 -0000 1.490
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.6.4
-Release: 38%{?dist}
+Release: 39%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -361,6 +361,9 @@
%endif
%changelog
+* Mon Aug 20 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-39
+- Allow rpcd to write to sysctl_fs_t
+
* Tue Aug 13 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-38
- Fix nagios_cgi problems
More information about the scm-commits
mailing list