rpms/selinux-policy/F-7 policy-20070501.patch, 1.34, 1.35 selinux-policy.spec, 1.477, 1.478
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Fri Jul 13 15:36:32 UTC 2007
- Previous message: rpms/perl-YAML-Tiny/devel .cvsignore, 1.5, 1.6 perl-YAML-Tiny.spec, 1.4, 1.5 sources, 1.5, 1.6
- Next message: rpms/a2ps/devel a2ps-4.13-hebrew.patch,1.4,1.5 a2ps.spec,1.72,1.73
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv15087
Modified Files:
policy-20070501.patch selinux-policy.spec
Log Message:
* Fri Jul 13 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-28
- Additional rules for openvpn reading homedirs
policy-20070501.patch:
Index: policy-20070501.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/policy-20070501.patch,v
retrieving revision 1.34
retrieving revision 1.35
diff -u -r1.34 -r1.35
--- policy-20070501.patch 11 Jul 2007 20:43:44 -0000 1.34
+++ policy-20070501.patch 13 Jul 2007 15:36:30 -0000 1.35
@@ -12,7 +12,7 @@
.TP
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-2.6.4/policy/flask/access_vectors
--- nsaserefpolicy/policy/flask/access_vectors 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/flask/access_vectors 2007-07-06 10:36:14.000000000 -0400
++++ serefpolicy-2.6.4/policy/flask/access_vectors 2007-07-12 10:27:08.000000000 -0400
@@ -598,6 +598,8 @@
shmempwd
shmemgrp
@@ -5528,8 +5528,14 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-2.6.4/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/openvpn.te 2007-07-06 10:36:14.000000000 -0400
-@@ -6,6 +6,13 @@
++++ serefpolicy-2.6.4/policy/modules/services/openvpn.te 2007-07-13 11:31:03.000000000 -0400
+@@ -1,11 +1,18 @@
+
+-policy_module(openvpn,1.2.0)
++policy_module(openvpn,1.2.2)
+
+ ########################################
+ #
# Declarations
#
@@ -5543,7 +5549,18 @@
# main openvpn domain
type openvpn_t;
type openvpn_exec_t;
-@@ -42,8 +49,8 @@
+@@ -28,7 +35,9 @@
+ # openvpn local policy
+ #
+
+-allow openvpn_t self:capability { net_bind_service net_admin setgid setuid sys_tty_config };
++allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_tty_config };
++allow openvpn_t self:process { signal getsched };
++
+ allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow openvpn_t self:udp_socket create_socket_perms;
+@@ -42,8 +51,8 @@
allow openvpn_t openvpn_var_log_t:file manage_file_perms;
logging_log_filetrans(openvpn_t,openvpn_var_log_t,file)
@@ -5554,7 +5571,17 @@
kernel_read_kernel_sysctls(openvpn_t)
kernel_read_net_sysctls(openvpn_t)
-@@ -66,6 +73,7 @@
+@@ -53,7 +62,8 @@
+ corecmd_exec_bin(openvpn_t)
+ corecmd_exec_shell(openvpn_t)
+
+-corenet_non_ipsec_sendrecv(openvpn_t)
++corenet_all_recvfrom_unlabeled(openvpn_t)
++corenet_all_recvfrom_netlabel(openvpn_t)
+ corenet_tcp_sendrecv_all_if(openvpn_t)
+ corenet_udp_sendrecv_all_if(openvpn_t)
+ corenet_tcp_sendrecv_generic_node(openvpn_t)
+@@ -66,6 +76,7 @@
corenet_udp_bind_openvpn_port(openvpn_t)
corenet_sendrecv_openvpn_server_packets(openvpn_t)
corenet_rw_tun_tap_dev(openvpn_t)
@@ -5562,7 +5589,7 @@
dev_search_sysfs(openvpn_t)
dev_read_rand(openvpn_t)
-@@ -80,10 +88,15 @@
+@@ -80,15 +91,31 @@
logging_send_syslog_msg(openvpn_t)
miscfiles_read_localization(openvpn_t)
@@ -5571,18 +5598,32 @@
sysnet_dns_name_resolve(openvpn_t)
sysnet_exec_ifconfig(openvpn_t)
+-ifdef(`targeted_policy',`
+- # Need to interact with terminals if config option "auth-user-pass" is used
+- term_use_generic_ptys(openvpn_t)
+tunable_policy(`openvpn_enable_homedirs',`
+ userdom_read_unpriv_users_home_content_files(openvpn_t)
-+')
-+
- ifdef(`targeted_policy',`
- # Need to interact with terminals if config option "auth-user-pass" is used
- term_use_generic_ptys(openvpn_t)
-@@ -92,3 +105,4 @@
+ ')
+
optional_policy(`
daemontools_service_domain(openvpn_t,openvpn_exec_t)
')
+
++optional_policy(`
++ dbus_system_bus_client_template(openvpn,openvpn_t)
++ dbus_connect_system_bus(openvpn_t)
++ dbus_send_system_bus(openvpn_t)
++ networkmanager_dbus_chat(openvpn_t)
++')
++
++
++# Need to interact with terminals if config option "auth-user-pass" is used
++userdom_use_sysadm_terms(openvpn_t)
++
++optional_policy(`
++ unconfined_use_terminals(openvpn_t)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-2.6.4/policy/modules/services/pcscd.te
--- nsaserefpolicy/policy/modules/services/pcscd.te 2007-05-07 14:50:57.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/pcscd.te 2007-07-06 10:36:14.000000000 -0400
@@ -8046,8 +8087,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.te serefpolicy-2.6.4/policy/modules/system/brctl.te
--- nsaserefpolicy/policy/modules/system/brctl.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.6.4/policy/modules/system/brctl.te 2007-07-10 12:53:45.000000000 -0400
-@@ -0,0 +1,42 @@
++++ serefpolicy-2.6.4/policy/modules/system/brctl.te 2007-07-12 15:50:34.000000000 -0400
+@@ -0,0 +1,41 @@
+policy_module(brctl,1.0.0)
+
+########################################
@@ -8089,7 +8130,6 @@
+ term_dontaudit_use_unallocated_ttys(brctl_t)
+ term_dontaudit_use_generic_ptys(brctl_t)
+')
-+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/clock.te serefpolicy-2.6.4/policy/modules/system/clock.te
--- nsaserefpolicy/policy/modules/system/clock.te 2007-05-07 14:51:02.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/system/clock.te 2007-07-06 10:36:14.000000000 -0400
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/selinux-policy.spec,v
retrieving revision 1.477
retrieving revision 1.478
diff -u -r1.477 -r1.478
--- selinux-policy.spec 11 Jul 2007 20:43:44 -0000 1.477
+++ selinux-policy.spec 13 Jul 2007 15:36:30 -0000 1.478
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.6.4
-Release: 27%{?dist}
+Release: 28%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -360,6 +360,9 @@
%endif
%changelog
+* Fri Jul 13 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-28
+- Additional rules for openvpn reading homedirs
+
* Fri Jul 7 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-27
- Add support for megadev
- Previous message: rpms/perl-YAML-Tiny/devel .cvsignore, 1.5, 1.6 perl-YAML-Tiny.spec, 1.4, 1.5 sources, 1.5, 1.6
- Next message: rpms/a2ps/devel a2ps-4.13-hebrew.patch,1.4,1.5 a2ps.spec,1.72,1.73
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list