rpms/selinux-policy/F-8 policy-20070703.patch, 1.111, 1.112 selinux-policy.spec, 1.560, 1.561

Daniel J Walsh (dwalsh) fedora-extras-commits at redhat.com
Mon Oct 29 20:05:41 UTC 2007 

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv14284

Modified Files:
	policy-20070703.patch selinux-policy.spec 
Log Message:
* Mon Oct 29 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-39
- Allow unconfined to run crontab


policy-20070703.patch:

Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.111
retrieving revision 1.112
diff -u -r1.111 -r1.112
--- policy-20070703.patch	29 Oct 2007 19:02:21 -0000	1.111
+++ policy-20070703.patch	29 Oct 2007 20:05:37 -0000	1.112
@@ -4642,8 +4642,16 @@
  neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.0.8/policy/modules/kernel/storage.fc
 --- nsaserefpolicy/policy/modules/kernel/storage.fc	2007-10-22 13:21:41.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/storage.fc	2007-10-22 13:22:31.000000000 -0400
-@@ -39,6 +39,7 @@
++++ serefpolicy-3.0.8/policy/modules/kernel/storage.fc	2007-10-29 16:03:39.000000000 -0400
+@@ -31,6 +31,7 @@
+ /dev/pcd[0-3]		-b	gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/pd[a-d][^/]*	-b	gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/pg[0-3]		-c	gen_context(system_u:object_r:removable_device_t,s0)
++/dev/ps3d.*   		-b 	gen_context(system_u:object_r:fixed_disk_device_t:s0)
+ /dev/ram.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/rawctl		-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/rd.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+@@ -39,6 +40,7 @@
  ')
  /dev/s(cd|r)[^/]*	-b	gen_context(system_u:object_r:removable_device_t,s0)
  /dev/sbpcd.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
@@ -4651,7 +4659,7 @@
  /dev/sg[0-9]+		-c	gen_context(system_u:object_r:scsi_generic_device_t,s0)
  /dev/sjcd		-b	gen_context(system_u:object_r:removable_device_t,s0)
  /dev/sonycd		-b	gen_context(system_u:object_r:removable_device_t,s0)
-@@ -52,7 +53,7 @@
+@@ -52,7 +54,7 @@
  
  /dev/cciss/[^/]*	-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
  
@@ -7519,8 +7527,8 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.0.8/policy/modules/services/exim.te
 --- nsaserefpolicy/policy/modules/services/exim.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/services/exim.te	2007-10-27 07:39:12.000000000 -0400
-@@ -0,0 +1,230 @@
++++ serefpolicy-3.0.8/policy/modules/services/exim.te	2007-10-27 07:41:14.000000000 -0400
+@@ -0,0 +1,237 @@
 +
 +policy_module(exim, 1.0.0)
 +
@@ -7544,6 +7552,9 @@
 +type exim_spool_t;
 +files_type(exim_spool_t)
 +
++type exim_tmp_t;
++files_tmp_file(exim_tmp_t)
++
 +type exim_var_run_t;
 +files_pid_file(exim_var_run_t)
 +
@@ -7653,6 +7664,10 @@
 +allow exim_t exim_spool_t:sock_file create_file_perms;
 +files_spool_filetrans(exim_t,exim_spool_t, { file dir sock_file })
 +
++manage_dirs_pattern(exim_t, exim_tmp_t, exim_tmp_t)
++manage_files_pattern(exim_t, exim_tmp_t, exim_tmp_t)
++files_tmp_filetrans(exim_t, exim_tmp_t, { file dir })
++
 +## logging
 +logging_send_syslog_msg(exim_t)
 +
@@ -16290,7 +16305,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te	2007-10-26 11:52:26.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.te	2007-10-29 15:01:25.000000000 -0400
 @@ -5,36 +5,52 @@
  #
  # Declarations
@@ -16351,7 +16366,7 @@
  
  libs_run_ldconfig(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
  
-@@ -42,37 +58,36 @@
+@@ -42,37 +58,37 @@
  logging_run_auditctl(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
  
  mount_run_unconfined(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@@ -16394,10 +16409,11 @@
  	# this is disallowed usage:
  	unconfined_domain(unconfined_crond_t)
 +	unconfined_domain(unconfined_crontab_t)
++	role system_r types unconfined_crontab_t;
  ')
  
  optional_policy(`
-@@ -107,6 +122,10 @@
+@@ -107,6 +123,10 @@
  	optional_policy(`
  		oddjob_dbus_chat(unconfined_t)
  	')
@@ -16408,7 +16424,7 @@
  ')
  
  optional_policy(`
-@@ -114,15 +133,15 @@
+@@ -114,15 +134,15 @@
  ')
  
  optional_policy(`
@@ -16427,7 +16443,7 @@
  ')
  
  optional_policy(`
-@@ -130,15 +149,10 @@
+@@ -130,15 +150,10 @@
  ')
  
  optional_policy(`
@@ -16445,7 +16461,7 @@
  ')
  
  optional_policy(`
-@@ -155,32 +169,23 @@
+@@ -155,32 +170,23 @@
  
  optional_policy(`
  	postfix_run_map(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@@ -16482,7 +16498,7 @@
  ')
  
  optional_policy(`
-@@ -205,11 +210,22 @@
+@@ -205,11 +211,22 @@
  ')
  
  optional_policy(`
@@ -16507,7 +16523,7 @@
  ')
  
  ########################################
-@@ -225,8 +241,21 @@
+@@ -225,8 +242,21 @@
  
  	init_dbus_chat_script(unconfined_execmem_t)
  	unconfined_dbus_chat(unconfined_execmem_t)


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.560
retrieving revision 1.561
diff -u -r1.560 -r1.561
--- selinux-policy.spec	29 Oct 2007 19:02:21 -0000	1.560
+++ selinux-policy.spec	29 Oct 2007 20:05:37 -0000	1.561
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.8
-Release: 38%{?dist}
+Release: 39%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -373,6 +373,9 @@
 %endif
 
 %changelog
+* Mon Oct 29 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-39
+- Allow unconfined to run crontab
+
 * Sat Oct 27 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-38
 - Allow ip to load sys_modules in order to bring up ip6 networks

More information about the scm-commits mailing list