rpms/selinux-policy/devel policy-20070525.patch, 1.8, 1.9 selinux-policy.spec, 1.463, 1.464
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Mon Jul 2 01:49:58 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv24823
Modified Files:
policy-20070525.patch selinux-policy.spec
Log Message:
* Sun Jul 1 2007 Dan Walsh <dwalsh at redhat.com> 3.0.1-4
- fix squid
- Fix rpm running as uid
policy-20070525.patch:
Index: policy-20070525.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20070525.patch,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- policy-20070525.patch 27 Jun 2007 19:48:33 -0000 1.8
+++ policy-20070525.patch 2 Jul 2007 01:49:51 -0000 1.9
@@ -1792,7 +1792,16 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.0.1/policy/modules/apps/vmware.te
--- nsaserefpolicy/policy/modules/apps/vmware.te 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/apps/vmware.te 2007-06-21 13:41:35.000000000 -0400
++++ serefpolicy-3.0.1/policy/modules/apps/vmware.te 2007-07-01 21:06:08.000000000 -0400
+@@ -29,7 +29,7 @@
+
+ allow vmware_host_t self:capability { setuid net_raw };
+ dontaudit vmware_host_t self:capability sys_tty_config;
+-allow vmware_host_t self:process signal_perms;
++allow vmware_host_t self:process { execstack execmem signal_perms };
+ allow vmware_host_t self:fifo_file rw_fifo_file_perms;
+ allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
+ allow vmware_host_t self:rawip_socket create_socket_perms;
@@ -55,6 +55,8 @@
corenet_tcp_sendrecv_all_ports(vmware_host_t)
corenet_udp_sendrecv_all_ports(vmware_host_t)
@@ -2350,7 +2359,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.1/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/kernel/filesystem.if 2007-06-27 10:04:58.000000000 -0400
++++ serefpolicy-3.0.1/policy/modules/kernel/filesystem.if 2007-07-01 21:12:31.000000000 -0400
@@ -1096,6 +1096,24 @@
########################################
@@ -3602,7 +3611,7 @@
fs_getattr_all_fs(entropyd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.0.1/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/automount.te 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.1/policy/modules/services/automount.te 2007-07-01 21:23:33.000000000 -0400
@@ -69,6 +69,7 @@
files_mounton_all_mountpoints(automount_t)
files_mount_all_file_type_fs(automount_t)
@@ -3619,6 +3628,17 @@
dev_read_urand(automount_t)
domain_use_interactive_fds(automount_t)
+@@ -146,10 +148,6 @@
+ userdom_dontaudit_search_sysadm_home_dirs(automount_t)
+
+ optional_policy(`
+- corecmd_exec_bin(automount_t)
+-')
+-
+-optional_policy(`
+ bind_search_cache(automount_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.0.1/policy/modules/services/avahi.te
--- nsaserefpolicy/policy/modules/services/avahi.te 2007-06-15 14:54:33.000000000 -0400
+++ serefpolicy-3.0.1/policy/modules/services/avahi.te 2007-06-27 10:05:15.000000000 -0400
@@ -4214,7 +4234,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.0.1/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2007-06-15 14:54:33.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/cups.te 2007-06-21 05:59:32.000000000 -0400
++++ serefpolicy-3.0.1/policy/modules/services/cups.te 2007-07-01 21:17:10.000000000 -0400
@@ -81,12 +81,11 @@
# /usr/lib/cups/backend/serial needs sys_admin(?!)
allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config };
@@ -4229,7 +4249,7 @@
allow cupsd_t self:tcp_socket create_stream_socket_perms;
allow cupsd_t self:udp_socket create_socket_perms;
allow cupsd_t self:appletalk_socket create_socket_perms;
-@@ -149,9 +148,11 @@
+@@ -149,14 +148,16 @@
corenet_tcp_bind_reserved_port(cupsd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
@@ -4241,6 +4261,12 @@
dev_rw_printer(cupsd_t)
dev_read_urand(cupsd_t)
+ dev_read_sysfs(cupsd_t)
+-dev_read_usbfs(cupsd_t)
++dev_rw_usbfs(cupsd_t)
+ dev_getattr_printer_dev(cupsd_t)
+
+ domain_read_all_domains_state(cupsd_t)
@@ -175,6 +176,7 @@
term_search_ptys(cupsd_t)
@@ -4333,9 +4359,18 @@
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
+@@ -558,7 +591,7 @@
+ dev_read_urand(hplip_t)
+ dev_read_rand(hplip_t)
+ dev_rw_generic_usb_dev(hplip_t)
+-dev_read_usbfs(hplip_t)
++dev_rw_usbfs(hplip_t)
+
+ fs_getattr_all_fs(hplip_t)
+ fs_search_auto_mountpoints(hplip_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.0.1/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/cvs.te 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.1/policy/modules/services/cvs.te 2007-07-01 21:36:29.000000000 -0400
@@ -16,6 +16,7 @@
type cvs_t;
type cvs_exec_t;
@@ -4352,6 +4387,14 @@
corecmd_exec_bin(cvs_t)
corecmd_exec_shell(cvs_t)
+@@ -80,6 +82,7 @@
+ libs_use_shared_libs(cvs_t)
+
+ logging_send_syslog_msg(cvs_t)
++logging_send_audit_msg(cvs_t)
+
+ miscfiles_read_localization(cvs_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.0.1/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-06-15 14:54:33.000000000 -0400
+++ serefpolicy-3.0.1/policy/modules/services/dbus.if 2007-06-19 17:06:27.000000000 -0400
@@ -5438,7 +5481,7 @@
corenet_tcp_connect_portmap_port($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.0.1/policy/modules/services/nis.te
--- nsaserefpolicy/policy/modules/services/nis.te 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/nis.te 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.1/policy/modules/services/nis.te 2007-06-28 07:25:31.000000000 -0400
@@ -112,6 +112,14 @@
userdom_dontaudit_use_unpriv_user_fds(ypbind_t)
userdom_dontaudit_search_sysadm_home_dirs(ypbind_t)
@@ -5454,7 +5497,15 @@
optional_policy(`
seutil_sigchld_newrole(ypbind_t)
')
-@@ -154,8 +162,8 @@
+@@ -125,6 +133,7 @@
+ # yppasswdd local policy
+ #
+
++allow yppasswdd_t self:capability dac_override;
+ dontaudit yppasswdd_t self:capability sys_tty_config;
+ allow yppasswdd_t self:fifo_file rw_fifo_file_perms;
+ allow yppasswdd_t self:process { setfscreate signal_perms };
+@@ -154,8 +163,8 @@
corenet_udp_sendrecv_all_ports(yppasswdd_t)
corenet_tcp_bind_all_nodes(yppasswdd_t)
corenet_udp_bind_all_nodes(yppasswdd_t)
@@ -5465,7 +5516,7 @@
corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t)
corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t)
corenet_sendrecv_generic_server_packets(yppasswdd_t)
-@@ -244,6 +252,8 @@
+@@ -244,6 +253,8 @@
corenet_udp_bind_all_nodes(ypserv_t)
corenet_tcp_bind_reserved_port(ypserv_t)
corenet_udp_bind_reserved_port(ypserv_t)
@@ -5474,7 +5525,7 @@
corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t)
corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t)
corenet_sendrecv_generic_server_packets(ypserv_t)
-@@ -311,6 +321,8 @@
+@@ -311,6 +322,8 @@
corenet_udp_bind_all_nodes(ypxfr_t)
corenet_tcp_bind_reserved_port(ypxfr_t)
corenet_udp_bind_reserved_port(ypxfr_t)
@@ -6818,12 +6869,24 @@
+/usr/lib64/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.0.1/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/squid.te 2007-06-19 17:06:27.000000000 -0400
-@@ -179,3 +179,12 @@
- #squid requires the following when run in diskd mode, the recommended setting
- allow squid_t tmpfs_t:file { read write };
- ') dnl end TODO
-+
++++ serefpolicy-3.0.1/policy/modules/services/squid.te 2007-07-01 21:13:36.000000000 -0400
+@@ -108,6 +108,8 @@
+
+ fs_getattr_all_fs(squid_t)
+ fs_search_auto_mountpoints(squid_t)
++#squid requires the following when run in diskd mode, the recommended setting
++fs_rw_tmpfs_files(squid_t)
+
+ selinux_dontaudit_getattr_dir(squid_t)
+
+@@ -175,7 +177,11 @@
+ udev_read_db(squid_t)
+ ')
+
+-ifdef(`TODO',`
+-#squid requires the following when run in diskd mode, the recommended setting
+-allow squid_t tmpfs_t:file { read write };
+-') dnl end TODO
+optional_policy(`
+ apache_content_template(squid)
+ corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
@@ -8920,7 +8983,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.0.1/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2007-06-11 16:05:30.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/mount.te 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.1/policy/modules/system/mount.te 2007-07-01 20:53:16.000000000 -0400
@@ -8,6 +8,13 @@
## <desc>
@@ -8971,7 +9034,25 @@
allow mount_t mount_loopback_t:file read_file_perms;
allow mount_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -128,10 +138,15 @@
+@@ -52,6 +62,8 @@
+ kernel_read_system_state(mount_t)
+ kernel_read_kernel_sysctls(mount_t)
+ kernel_dontaudit_getattr_core_if(mount_t)
++kernel_search_debugfs(mount_t)
++kernel_read_unlabeled_state(mount_t)
+
+ dev_getattr_all_blk_files(mount_t)
+ dev_list_all_dev_nodes(mount_t)
+@@ -102,6 +114,8 @@
+ init_use_fds(mount_t)
+ init_use_script_ptys(mount_t)
+ init_dontaudit_getattr_initctl(mount_t)
++init_stream_connect_script(mount_t)
++init_rw_script_stream_sockets(mount_t)
+
+ libs_use_ld_so(mount_t)
+ libs_use_shared_libs(mount_t)
+@@ -128,10 +142,15 @@
')
')
@@ -8988,7 +9069,7 @@
')
optional_policy(`
-@@ -201,4 +216,53 @@
+@@ -201,4 +220,53 @@
optional_policy(`
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
unconfined_domain(unconfined_mount_t)
@@ -9362,7 +9443,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.0.1/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/udev.te 2007-06-27 08:08:02.000000000 -0400
++++ serefpolicy-3.0.1/policy/modules/system/udev.te 2007-06-28 07:26:24.000000000 -0400
@@ -68,8 +68,9 @@
allow udev_t udev_tbl_t:file manage_file_perms;
dev_filetrans(udev_t,udev_tbl_t,file)
@@ -9374,7 +9455,7 @@
kernel_read_system_state(udev_t)
kernel_getattr_core_if(udev_t)
-@@ -83,16 +84,22 @@
+@@ -83,16 +84,23 @@
kernel_dgram_send(udev_t)
kernel_signal(udev_t)
@@ -9389,6 +9470,7 @@
dev_rw_generic_files(udev_t)
dev_delete_generic_files(udev_t)
+dev_search_usbfs_dirs(udev_t)
++dev_relabel_all_dev_nodes(udev_t)
domain_read_all_domains_state(udev_t)
domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
@@ -9397,7 +9479,7 @@
files_read_etc_runtime_files(udev_t)
files_read_etc_files(udev_t)
files_exec_etc_files(udev_t)
-@@ -142,9 +149,16 @@
+@@ -142,9 +150,16 @@
seutil_read_file_contexts(udev_t)
seutil_domtrans_setfiles(udev_t)
@@ -9414,7 +9496,7 @@
userdom_dontaudit_search_all_users_home_content(udev_t)
ifdef(`distro_gentoo',`
-@@ -178,6 +192,10 @@
+@@ -178,6 +193,10 @@
')
optional_policy(`
@@ -9425,7 +9507,7 @@
hal_dgram_send(udev_t)
')
-@@ -188,5 +206,24 @@
+@@ -188,5 +207,24 @@
')
optional_policy(`
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.463
retrieving revision 1.464
diff -u -r1.463 -r1.464
--- selinux-policy.spec 27 Jun 2007 19:48:33 -0000 1.463
+++ selinux-policy.spec 2 Jul 2007 01:49:51 -0000 1.464
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.1
-Release: 3%{?dist}
+Release: 4%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -355,6 +355,10 @@
%endif
%changelog
+* Sun Jul 1 2007 Dan Walsh <dwalsh at redhat.com> 3.0.1-4
+- fix squid
+- Fix rpm running as uid
+
* Wed Jun 26 2007 Dan Walsh <dwalsh at redhat.com> 3.0.1-3
- Fix syslog declaration
More information about the scm-commits
mailing list