rpms/selinux-policy/F-8 policy-20070703.patch, 1.111, 1.112 selinux-policy.spec, 1.560, 1.561
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Mon Oct 29 20:05:41 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv14284
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Mon Oct 29 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-39
- Allow unconfined to run crontab
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.111
retrieving revision 1.112
diff -u -r1.111 -r1.112
--- policy-20070703.patch 29 Oct 2007 19:02:21 -0000 1.111
+++ policy-20070703.patch 29 Oct 2007 20:05:37 -0000 1.112
@@ -4642,8 +4642,16 @@
neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.0.8/policy/modules/kernel/storage.fc
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2007-10-22 13:21:41.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/storage.fc 2007-10-22 13:22:31.000000000 -0400
-@@ -39,6 +39,7 @@
++++ serefpolicy-3.0.8/policy/modules/kernel/storage.fc 2007-10-29 16:03:39.000000000 -0400
+@@ -31,6 +31,7 @@
+ /dev/pcd[0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/pd[a-d][^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/pg[0-3] -c gen_context(system_u:object_r:removable_device_t,s0)
++/dev/ps3d.* -b gen_context(system_u:object_r:fixed_disk_device_t:s0)
+ /dev/ram.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/rawctl -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/rd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+@@ -39,6 +40,7 @@
')
/dev/s(cd|r)[^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/sbpcd.* -b gen_context(system_u:object_r:removable_device_t,s0)
@@ -4651,7 +4659,7 @@
/dev/sg[0-9]+ -c gen_context(system_u:object_r:scsi_generic_device_t,s0)
/dev/sjcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0)
-@@ -52,7 +53,7 @@
+@@ -52,7 +54,7 @@
/dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@@ -7519,8 +7527,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.0.8/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/services/exim.te 2007-10-27 07:39:12.000000000 -0400
-@@ -0,0 +1,230 @@
++++ serefpolicy-3.0.8/policy/modules/services/exim.te 2007-10-27 07:41:14.000000000 -0400
+@@ -0,0 +1,237 @@
+
+policy_module(exim, 1.0.0)
+
@@ -7544,6 +7552,9 @@
+type exim_spool_t;
+files_type(exim_spool_t)
+
++type exim_tmp_t;
++files_tmp_file(exim_tmp_t)
++
+type exim_var_run_t;
+files_pid_file(exim_var_run_t)
+
@@ -7653,6 +7664,10 @@
+allow exim_t exim_spool_t:sock_file create_file_perms;
+files_spool_filetrans(exim_t,exim_spool_t, { file dir sock_file })
+
++manage_dirs_pattern(exim_t, exim_tmp_t, exim_tmp_t)
++manage_files_pattern(exim_t, exim_tmp_t, exim_tmp_t)
++files_tmp_filetrans(exim_t, exim_tmp_t, { file dir })
++
+## logging
+logging_send_syslog_msg(exim_t)
+
@@ -16290,7 +16305,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-10-26 11:52:26.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-10-29 15:01:25.000000000 -0400
@@ -5,36 +5,52 @@
#
# Declarations
@@ -16351,7 +16366,7 @@
libs_run_ldconfig(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
-@@ -42,37 +58,36 @@
+@@ -42,37 +58,37 @@
logging_run_auditctl(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
mount_run_unconfined(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@@ -16394,10 +16409,11 @@
# this is disallowed usage:
unconfined_domain(unconfined_crond_t)
+ unconfined_domain(unconfined_crontab_t)
++ role system_r types unconfined_crontab_t;
')
optional_policy(`
-@@ -107,6 +122,10 @@
+@@ -107,6 +123,10 @@
optional_policy(`
oddjob_dbus_chat(unconfined_t)
')
@@ -16408,7 +16424,7 @@
')
optional_policy(`
-@@ -114,15 +133,15 @@
+@@ -114,15 +134,15 @@
')
optional_policy(`
@@ -16427,7 +16443,7 @@
')
optional_policy(`
-@@ -130,15 +149,10 @@
+@@ -130,15 +150,10 @@
')
optional_policy(`
@@ -16445,7 +16461,7 @@
')
optional_policy(`
-@@ -155,32 +169,23 @@
+@@ -155,32 +170,23 @@
optional_policy(`
postfix_run_map(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@@ -16482,7 +16498,7 @@
')
optional_policy(`
-@@ -205,11 +210,22 @@
+@@ -205,11 +211,22 @@
')
optional_policy(`
@@ -16507,7 +16523,7 @@
')
########################################
-@@ -225,8 +241,21 @@
+@@ -225,8 +242,21 @@
init_dbus_chat_script(unconfined_execmem_t)
unconfined_dbus_chat(unconfined_execmem_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.560
retrieving revision 1.561
diff -u -r1.560 -r1.561
--- selinux-policy.spec 29 Oct 2007 19:02:21 -0000 1.560
+++ selinux-policy.spec 29 Oct 2007 20:05:37 -0000 1.561
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 38%{?dist}
+Release: 39%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -373,6 +373,9 @@
%endif
%changelog
+* Mon Oct 29 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-39
+- Allow unconfined to run crontab
+
* Sat Oct 27 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-38
- Allow ip to load sys_modules in order to bring up ip6 networks
More information about the scm-commits
mailing list