rpms/selinux-policy/F-7 policy-20070501.patch, 1.25, 1.26 selinux-policy.spec, 1.470, 1.471

Daniel J Walsh (dwalsh) fedora-extras-commits at redhat.com
Wed Jun 20 11:53:30 UTC 2007


Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv13776

Modified Files:
	policy-20070501.patch selinux-policy.spec 
Log Message:
* Wed Jun 20 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-21
- Still fixing cron


policy-20070501.patch:

Index: policy-20070501.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/policy-20070501.patch,v
retrieving revision 1.25
retrieving revision 1.26
diff -u -r1.25 -r1.26
--- policy-20070501.patch	19 Jun 2007 19:55:19 -0000	1.25
+++ policy-20070501.patch	20 Jun 2007 11:52:49 -0000	1.26
@@ -1611,8 +1611,16 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-2.6.4/policy/modules/kernel/domain.if
 --- nsaserefpolicy/policy/modules/kernel/domain.if	2007-05-07 14:51:04.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/domain.if	2007-06-18 10:18:55.000000000 -0400
-@@ -1254,3 +1254,21 @@
++++ serefpolicy-2.6.4/policy/modules/kernel/domain.if	2007-06-20 07:41:47.000000000 -0400
+@@ -64,6 +64,7 @@
+ 	')
+ 
+ 	optional_policy(`
++		selinux_dontaudit_getattr_fs($1)
+ 		selinux_dontaudit_read_fs($1)
+ 	')
+ 
+@@ -1254,3 +1255,21 @@
  	typeattribute $1 can_change_object_identity;
  	typeattribute $1 set_curr_context;
  ')
@@ -2230,7 +2238,7 @@
  attribute privrangetrans;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-2.6.4/policy/modules/kernel/selinux.if
 --- nsaserefpolicy/policy/modules/kernel/selinux.if	2007-05-07 14:51:04.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/selinux.if	2007-06-18 10:18:55.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/kernel/selinux.if	2007-06-20 07:41:33.000000000 -0400
 @@ -51,6 +51,44 @@
  
  ########################################
@@ -3373,7 +3381,7 @@
  		# fcron wants an instant update of a crontab change for the administrator
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.6.4/policy/modules/services/cron.te
 --- nsaserefpolicy/policy/modules/services/cron.te	2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/cron.te	2007-06-19 14:42:30.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/cron.te	2007-06-20 07:51:08.000000000 -0400
 @@ -42,6 +42,9 @@
  type cron_log_t;
  logging_log_file(cron_log_t)
@@ -3517,7 +3525,7 @@
  ')
  
  optional_policy(`
-@@ -258,17 +253,26 @@
+@@ -258,25 +253,39 @@
  # System cron process domain
  #
  
@@ -3544,7 +3552,24 @@
  	# cjp: why?
  	squid_domtrans(system_crond_t)
  ')
-@@ -369,7 +373,7 @@
+ 
+-ifdef(`targeted_policy',`
+-	# cjp: FIXME
+-	allow crond_t unconfined_t:process transition;
+-',`
++optional_policy(`
++	unconfined_dbus_send(crond_t)
++	unconfined_domain(crond_t)
++	unconfined_shell_domtrans(crond_t)
++	unconfined_domain(system_crond_t)
++	userdom_priveleged_home_dir_manager(system_crond_t)
++')
++
++ifdef(`targeted_policy',`',`
+ 	allow system_crond_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid };
+ 	allow system_crond_t self:process { signal_perms setsched };
+ 	allow system_crond_t self:fifo_file rw_fifo_file_perms;
+@@ -369,7 +378,7 @@
  	init_read_utmp(system_crond_t)
  	init_dontaudit_rw_utmp(system_crond_t)
  	# prelink tells init to restart it self, we either need to allow or dontaudit
@@ -3553,7 +3578,7 @@
  
  	libs_use_ld_so(system_crond_t)
  	libs_use_shared_libs(system_crond_t)
-@@ -428,6 +432,10 @@
+@@ -428,6 +437,10 @@
  	')
  
  	optional_policy(`
@@ -3564,21 +3589,6 @@
  		mrtg_append_create_logs(system_crond_t)
  	')
  
-@@ -471,6 +479,14 @@
- 		sysstat_manage_log(system_crond_t)
- 	')
- 
-+	optional_policy(`
-+		unconfined_dbus_send(crond_t)
-+		unconfined_domain(crond_t)
-+		unconfined_shell_domtrans(crond_t)
-+		unconfined_domain(system_crond_t)
-+		userdom_priveleged_home_dir_manager(system_crond_t)
-+	')
-+
- 	ifdef(`TODO',`
- 	dontaudit userdomain system_crond_t:fd use;
- 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-2.6.4/policy/modules/services/cups.fc
 --- nsaserefpolicy/policy/modules/services/cups.fc	2007-05-07 14:50:57.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/services/cups.fc	2007-06-18 10:18:55.000000000 -0400
@@ -5973,7 +5983,7 @@
  	fs_search_auto_mountpoints($1_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-2.6.4/policy/modules/services/rpc.te
 --- nsaserefpolicy/policy/modules/services/rpc.te	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/rpc.te	2007-06-18 10:18:55.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/rpc.te	2007-06-20 06:35:10.000000000 -0400
 @@ -79,6 +79,7 @@
  
  optional_policy(`
@@ -5982,7 +5992,17 @@
  ')
  
  ########################################
-@@ -123,6 +124,7 @@
+@@ -91,6 +92,9 @@
+ allow nfsd_t exports_t:file { getattr read };
+ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
+ 
++dev_dontaudit_getattr_all_blk_files(nfsd_t) 
++dev_dontaudit_getattr_all_chr_files(nfsd_t) 
++
+ # for /proc/fs/nfs/exports - should we have a new type?
+ kernel_read_system_state(nfsd_t) 
+ kernel_read_network_state(nfsd_t) 
+@@ -123,6 +127,7 @@
  tunable_policy(`nfs_export_all_rw',`
  	fs_read_noxattr_fs_files(nfsd_t) 
  	auth_manage_all_files_except_shadow(nfsd_t)
@@ -6901,7 +6921,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-2.6.4/policy/modules/services/ssh.te
 --- nsaserefpolicy/policy/modules/services/ssh.te	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/ssh.te	2007-06-18 10:18:55.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/ssh.te	2007-06-19 16:53:47.000000000 -0400
 @@ -24,11 +24,11 @@
  
  # Type for the ssh-agent executable.
@@ -8088,6 +8108,15 @@
  	gpm_getattr_gpmctl(local_login_t)
  	gpm_setattr_gpmctl(local_login_t)
  ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-2.6.4/policy/modules/system/logging.fc
+--- nsaserefpolicy/policy/modules/system/logging.fc	2007-05-07 14:51:02.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/logging.fc	2007-06-20 07:06:32.000000000 -0400
+@@ -43,3 +43,5 @@
+ /var/spool/postfix/pid	-d	gen_context(system_u:object_r:var_run_t,s0)
+ 
+ /var/tinydns/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
++
++/var/log/syslog-ng(/.*)?	--	gen_context(system_u:object_r:syslogd_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-2.6.4/policy/modules/system/logging.if
 --- nsaserefpolicy/policy/modules/system/logging.if	2007-05-07 14:51:01.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/system/logging.if	2007-06-19 13:33:17.000000000 -0400
@@ -8285,7 +8314,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.6.4/policy/modules/system/logging.te
 --- nsaserefpolicy/policy/modules/system/logging.te	2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/logging.te	2007-06-18 10:18:55.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/logging.te	2007-06-20 07:06:21.000000000 -0400
 @@ -7,10 +7,15 @@
  #
  
@@ -8302,7 +8331,17 @@
  role system_r types auditctl_t;
  
  type auditd_etc_t;
-@@ -59,14 +64,17 @@
+@@ -48,6 +53,9 @@
+ type syslogd_tmp_t;
+ files_tmp_file(syslogd_tmp_t)
+ 
++type syslogd_var_lib_t;
++files_type(syslogd_var_lib_t)
++
+ type syslogd_var_run_t;
+ files_pid_file(syslogd_var_run_t)
+ 
+@@ -59,14 +67,17 @@
  	init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
  ')
  
@@ -8323,7 +8362,7 @@
  read_files_pattern(auditctl_t,auditd_etc_t,auditd_etc_t)
  allow auditctl_t auditd_etc_t:dir list_dir_perms;
  
-@@ -91,6 +99,7 @@
+@@ -91,6 +102,7 @@
  
  locallogin_dontaudit_use_fds(auditctl_t)
  
@@ -8331,7 +8370,7 @@
  logging_send_syslog_msg(auditctl_t)
  
  ifdef(`targeted_policy',`
-@@ -103,12 +112,11 @@
+@@ -103,12 +115,11 @@
  # Auditd local policy
  #
  
@@ -8345,7 +8384,7 @@
  allow auditd_t self:fifo_file rw_file_perms;
  
  allow auditd_t auditd_etc_t:dir list_dir_perms;
-@@ -146,6 +154,7 @@
+@@ -146,6 +157,7 @@
  
  init_telinit(auditd_t)
  
@@ -8353,8 +8392,13 @@
  logging_send_syslog_msg(auditd_t)
  
  libs_use_ld_so(auditd_t)
-@@ -267,6 +276,9 @@
+@@ -265,8 +277,14 @@
+ allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
+ files_pid_filetrans(syslogd_t,devlog_t,sock_file)
  
++files_search_var_lib(syslogd_t)
++manage_files_pattern(syslogd_t,syslogd_var_lib_t,syslogd_var_lib_t)
++
  # create/append log files.
  manage_files_pattern(syslogd_t,var_log_t,var_log_t)
 +# r/w log fifo_files files.
@@ -8363,7 +8407,7 @@
  # Allow access for syslog-ng
  allow syslogd_t var_log_t:dir { create setattr };
  
-@@ -331,6 +343,7 @@
+@@ -331,6 +349,7 @@
  domain_use_interactive_fds(syslogd_t)
  
  files_read_etc_files(syslogd_t)


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/selinux-policy.spec,v
retrieving revision 1.470
retrieving revision 1.471
diff -u -r1.470 -r1.471
--- selinux-policy.spec	19 Jun 2007 20:03:01 -0000	1.470
+++ selinux-policy.spec	20 Jun 2007 11:52:49 -0000	1.471
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 2.6.4
-Release: 20%{?dist}
+Release: 21%{?dist}
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -360,6 +360,9 @@
 %endif
 
 %changelog
+* Wed Jun 20 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-21
+- Still fixing cron
+
 * Tue Jun 19 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-20
 - Allow crond to domtrans to uncofined_t
 




More information about the scm-commits mailing list