rpms/selinux-policy/F-7 policy-20070501.patch, 1.25, 1.26 selinux-policy.spec, 1.470, 1.471
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Wed Jun 20 11:53:30 UTC 2007
- Previous message: rpms/fillets-ng-data/devel .cvsignore, 1.3, 1.4 fillets-ng-data.spec, 1.5, 1.6 sources, 1.3, 1.4 fillets-ng-data-0.7.1-pairs.patch, 1.1, NONE
- Next message: rpms/kdebase/devel kde-legacy.pamd, NONE, 1.1 kde-np-legacy.pamd, NONE, 1.1 kde-np.pamd, NONE, 1.1 kde.pamd, NONE, 1.1 kdebase.spec, 1.255, 1.256 kde-np, 1.4, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv13776
Modified Files:
policy-20070501.patch selinux-policy.spec
Log Message:
* Wed Jun 20 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-21
- Still fixing cron
policy-20070501.patch:
Index: policy-20070501.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/policy-20070501.patch,v
retrieving revision 1.25
retrieving revision 1.26
diff -u -r1.25 -r1.26
--- policy-20070501.patch 19 Jun 2007 19:55:19 -0000 1.25
+++ policy-20070501.patch 20 Jun 2007 11:52:49 -0000 1.26
@@ -1611,8 +1611,16 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-2.6.4/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2007-05-07 14:51:04.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/domain.if 2007-06-18 10:18:55.000000000 -0400
-@@ -1254,3 +1254,21 @@
++++ serefpolicy-2.6.4/policy/modules/kernel/domain.if 2007-06-20 07:41:47.000000000 -0400
+@@ -64,6 +64,7 @@
+ ')
+
+ optional_policy(`
++ selinux_dontaudit_getattr_fs($1)
+ selinux_dontaudit_read_fs($1)
+ ')
+
+@@ -1254,3 +1255,21 @@
typeattribute $1 can_change_object_identity;
typeattribute $1 set_curr_context;
')
@@ -2230,7 +2238,7 @@
attribute privrangetrans;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-2.6.4/policy/modules/kernel/selinux.if
--- nsaserefpolicy/policy/modules/kernel/selinux.if 2007-05-07 14:51:04.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/selinux.if 2007-06-18 10:18:55.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/kernel/selinux.if 2007-06-20 07:41:33.000000000 -0400
@@ -51,6 +51,44 @@
########################################
@@ -3373,7 +3381,7 @@
# fcron wants an instant update of a crontab change for the administrator
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.6.4/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/cron.te 2007-06-19 14:42:30.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/cron.te 2007-06-20 07:51:08.000000000 -0400
@@ -42,6 +42,9 @@
type cron_log_t;
logging_log_file(cron_log_t)
@@ -3517,7 +3525,7 @@
')
optional_policy(`
-@@ -258,17 +253,26 @@
+@@ -258,25 +253,39 @@
# System cron process domain
#
@@ -3544,7 +3552,24 @@
# cjp: why?
squid_domtrans(system_crond_t)
')
-@@ -369,7 +373,7 @@
+
+-ifdef(`targeted_policy',`
+- # cjp: FIXME
+- allow crond_t unconfined_t:process transition;
+-',`
++optional_policy(`
++ unconfined_dbus_send(crond_t)
++ unconfined_domain(crond_t)
++ unconfined_shell_domtrans(crond_t)
++ unconfined_domain(system_crond_t)
++ userdom_priveleged_home_dir_manager(system_crond_t)
++')
++
++ifdef(`targeted_policy',`',`
+ allow system_crond_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid };
+ allow system_crond_t self:process { signal_perms setsched };
+ allow system_crond_t self:fifo_file rw_fifo_file_perms;
+@@ -369,7 +378,7 @@
init_read_utmp(system_crond_t)
init_dontaudit_rw_utmp(system_crond_t)
# prelink tells init to restart it self, we either need to allow or dontaudit
@@ -3553,7 +3578,7 @@
libs_use_ld_so(system_crond_t)
libs_use_shared_libs(system_crond_t)
-@@ -428,6 +432,10 @@
+@@ -428,6 +437,10 @@
')
optional_policy(`
@@ -3564,21 +3589,6 @@
mrtg_append_create_logs(system_crond_t)
')
-@@ -471,6 +479,14 @@
- sysstat_manage_log(system_crond_t)
- ')
-
-+ optional_policy(`
-+ unconfined_dbus_send(crond_t)
-+ unconfined_domain(crond_t)
-+ unconfined_shell_domtrans(crond_t)
-+ unconfined_domain(system_crond_t)
-+ userdom_priveleged_home_dir_manager(system_crond_t)
-+ ')
-+
- ifdef(`TODO',`
- dontaudit userdomain system_crond_t:fd use;
-
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-2.6.4/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2007-05-07 14:50:57.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/cups.fc 2007-06-18 10:18:55.000000000 -0400
@@ -5973,7 +5983,7 @@
fs_search_auto_mountpoints($1_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-2.6.4/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/rpc.te 2007-06-18 10:18:55.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/rpc.te 2007-06-20 06:35:10.000000000 -0400
@@ -79,6 +79,7 @@
optional_policy(`
@@ -5982,7 +5992,17 @@
')
########################################
-@@ -123,6 +124,7 @@
+@@ -91,6 +92,9 @@
+ allow nfsd_t exports_t:file { getattr read };
+ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
+
++dev_dontaudit_getattr_all_blk_files(nfsd_t)
++dev_dontaudit_getattr_all_chr_files(nfsd_t)
++
+ # for /proc/fs/nfs/exports - should we have a new type?
+ kernel_read_system_state(nfsd_t)
+ kernel_read_network_state(nfsd_t)
+@@ -123,6 +127,7 @@
tunable_policy(`nfs_export_all_rw',`
fs_read_noxattr_fs_files(nfsd_t)
auth_manage_all_files_except_shadow(nfsd_t)
@@ -6901,7 +6921,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-2.6.4/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/ssh.te 2007-06-18 10:18:55.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/ssh.te 2007-06-19 16:53:47.000000000 -0400
@@ -24,11 +24,11 @@
# Type for the ssh-agent executable.
@@ -8088,6 +8108,15 @@
gpm_getattr_gpmctl(local_login_t)
gpm_setattr_gpmctl(local_login_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-2.6.4/policy/modules/system/logging.fc
+--- nsaserefpolicy/policy/modules/system/logging.fc 2007-05-07 14:51:02.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/logging.fc 2007-06-20 07:06:32.000000000 -0400
+@@ -43,3 +43,5 @@
+ /var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
+
+ /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
++
++/var/log/syslog-ng(/.*)? -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-2.6.4/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2007-05-07 14:51:01.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/system/logging.if 2007-06-19 13:33:17.000000000 -0400
@@ -8285,7 +8314,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.6.4/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/logging.te 2007-06-18 10:18:55.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/logging.te 2007-06-20 07:06:21.000000000 -0400
@@ -7,10 +7,15 @@
#
@@ -8302,7 +8331,17 @@
role system_r types auditctl_t;
type auditd_etc_t;
-@@ -59,14 +64,17 @@
+@@ -48,6 +53,9 @@
+ type syslogd_tmp_t;
+ files_tmp_file(syslogd_tmp_t)
+
++type syslogd_var_lib_t;
++files_type(syslogd_var_lib_t)
++
+ type syslogd_var_run_t;
+ files_pid_file(syslogd_var_run_t)
+
+@@ -59,14 +67,17 @@
init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
')
@@ -8323,7 +8362,7 @@
read_files_pattern(auditctl_t,auditd_etc_t,auditd_etc_t)
allow auditctl_t auditd_etc_t:dir list_dir_perms;
-@@ -91,6 +99,7 @@
+@@ -91,6 +102,7 @@
locallogin_dontaudit_use_fds(auditctl_t)
@@ -8331,7 +8370,7 @@
logging_send_syslog_msg(auditctl_t)
ifdef(`targeted_policy',`
-@@ -103,12 +112,11 @@
+@@ -103,12 +115,11 @@
# Auditd local policy
#
@@ -8345,7 +8384,7 @@
allow auditd_t self:fifo_file rw_file_perms;
allow auditd_t auditd_etc_t:dir list_dir_perms;
-@@ -146,6 +154,7 @@
+@@ -146,6 +157,7 @@
init_telinit(auditd_t)
@@ -8353,8 +8392,13 @@
logging_send_syslog_msg(auditd_t)
libs_use_ld_so(auditd_t)
-@@ -267,6 +276,9 @@
+@@ -265,8 +277,14 @@
+ allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
+ files_pid_filetrans(syslogd_t,devlog_t,sock_file)
++files_search_var_lib(syslogd_t)
++manage_files_pattern(syslogd_t,syslogd_var_lib_t,syslogd_var_lib_t)
++
# create/append log files.
manage_files_pattern(syslogd_t,var_log_t,var_log_t)
+# r/w log fifo_files files.
@@ -8363,7 +8407,7 @@
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
-@@ -331,6 +343,7 @@
+@@ -331,6 +349,7 @@
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/selinux-policy.spec,v
retrieving revision 1.470
retrieving revision 1.471
diff -u -r1.470 -r1.471
--- selinux-policy.spec 19 Jun 2007 20:03:01 -0000 1.470
+++ selinux-policy.spec 20 Jun 2007 11:52:49 -0000 1.471
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.6.4
-Release: 20%{?dist}
+Release: 21%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -360,6 +360,9 @@
%endif
%changelog
+* Wed Jun 20 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-21
+- Still fixing cron
+
* Tue Jun 19 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-20
- Allow crond to domtrans to uncofined_t
- Previous message: rpms/fillets-ng-data/devel .cvsignore, 1.3, 1.4 fillets-ng-data.spec, 1.5, 1.6 sources, 1.3, 1.4 fillets-ng-data-0.7.1-pairs.patch, 1.1, NONE
- Next message: rpms/kdebase/devel kde-legacy.pamd, NONE, 1.1 kde-np-legacy.pamd, NONE, 1.1 kde-np.pamd, NONE, 1.1 kde.pamd, NONE, 1.1 kdebase.spec, 1.255, 1.256 kde-np, 1.4, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list