rpms/selinux-policy/devel policy-20070703.patch, 1.46, 1.47 selinux-policy.spec, 1.513, 1.514
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Thu Sep 6 02:24:21 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv31897
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Tue Aug 28 2007 Dan Walsh <dwalsh at redhat.com> 3.0.7-3
- Allow sendmail to create etc_aliases_t
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20070703.patch,v
retrieving revision 1.46
retrieving revision 1.47
diff -u -r1.46 -r1.47
--- policy-20070703.patch 5 Sep 2007 21:30:18 -0000 1.46
+++ policy-20070703.patch 6 Sep 2007 02:24:18 -0000 1.47
@@ -3164,7 +3164,7 @@
+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.0.7/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2007-08-22 07:14:07.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/apache.if 2007-09-05 07:16:31.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/services/apache.if 2007-09-05 22:22:33.000000000 -0400
@@ -18,10 +18,6 @@
attribute httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
@@ -3409,7 +3409,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -1013,46 +1047,143 @@
+@@ -1013,46 +1047,141 @@
## </summary>
## </param>
#
@@ -3554,8 +3554,6 @@
+ # Allow $1 to restart the apache service
+ apache_script_domtrans($1)
+ domain_system_change_exemption($1)
-+ domain_role_change_exemption($1)
-+ domain_obj_id_change_exemption($1)
+ role_transition $2 httpd_script_exec_t system_r;
+ allow $2 system_r;
+
@@ -6184,8 +6182,8 @@
+/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.0.7/policy/modules/services/mysql.if
--- nsaserefpolicy/policy/modules/services/mysql.if 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/mysql.if 2007-09-04 16:56:14.000000000 -0400
-@@ -157,3 +157,80 @@
++++ serefpolicy-3.0.7/policy/modules/services/mysql.if 2007-09-05 22:11:26.000000000 -0400
+@@ -157,3 +157,79 @@
logging_search_logs($1)
allow $1 mysqld_log_t:file { write append setattr ioctl };
')
@@ -6241,13 +6239,12 @@
+ type mysqld_script_exec_t;
+ ')
+
-+ allow $1 mysqld_t:process { ptrace signal_perms };
++ allow $1 mysqld_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, mysqld_t, mysqld_t)
+
+ # Allow $1 to restart the apache service
+ mysql_script_domtrans($1)
-+ domain_role_change_exemption($1)
+ domain_system_change_exemption($1)
-+ domain_obj_id_change_exemption($1)
+ role_transition $2 mysqld_script_exec_t system_r;
+ allow $2 system_r;
+
@@ -7324,8 +7321,8 @@
+/etc/rc\.d/init\.d/postgresql -- gen_context(system_u:object_r:postgresql_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.0.7/policy/modules/services/postgresql.if
--- nsaserefpolicy/policy/modules/services/postgresql.if 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/postgresql.if 2007-09-05 15:13:11.000000000 -0400
-@@ -113,3 +113,78 @@
++++ serefpolicy-3.0.7/policy/modules/services/postgresql.if 2007-09-05 22:13:10.000000000 -0400
+@@ -113,3 +113,77 @@
# Some versions of postgresql put the sock file in /tmp
allow $1 postgresql_tmp_t:sock_file write;
')
@@ -7379,13 +7376,12 @@
+ type postgresql_log_t;
+ ')
+
-+ allow $1 postgresql_t:process { ptrace signal_perms };
++ allow $1 postgresql_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, postgresql_t, postgresql_t)
+
+ # Allow $1 to restart the apache service
+ postgresql_script_domtrans($1)
+ domain_system_change_exemption($1)
-+ domain_role_change_exemption($1)
-+ domain_obj_id_change_exemption($1)
+ role_transition $2 postgresql_script_exec_t system_r;
+ allow $2 system_r;
+
@@ -10347,7 +10343,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.0.7/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2007-08-22 07:14:12.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/init.te 2007-09-04 12:01:50.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/system/init.te 2007-09-05 22:21:18.000000000 -0400
@@ -10,6 +10,20 @@
# Declarations
#
@@ -10418,7 +10414,7 @@
manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t)
manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t)
-@@ -496,6 +511,39 @@
+@@ -496,6 +511,43 @@
')
optional_policy(`
@@ -10449,8 +10445,12 @@
+
+ tunable_policy(`allow_daemons_use_tty',`
+ unconfined_use_terminals(daemon)
++ term_use_all_user_ttys(daemon)
++ term_use_all_user_ptys(daemon)
+ ', `
+ unconfined_dontaudit_use_terminals(daemon)
++ term_dontaudit_use_all_user_ttys(daemon)
++ term_dontaudit_use_all_user_ptys(daemon)
+ ')
+')
+
@@ -10458,7 +10458,7 @@
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
')
-@@ -631,12 +679,6 @@
+@@ -631,12 +683,6 @@
mta_read_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@@ -10471,7 +10471,7 @@
optional_policy(`
ifdef(`distro_redhat',`
-@@ -702,6 +744,9 @@
+@@ -702,6 +748,9 @@
# why is this needed:
rpm_manage_db(initrc_t)
@@ -10720,7 +10720,7 @@
+/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.0.7/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/logging.if 2007-09-04 17:01:26.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/system/logging.if 2007-09-05 22:22:05.000000000 -0400
@@ -33,8 +33,13 @@
## </param>
#
@@ -11014,12 +11014,12 @@
+ type auditd_var_run_t;
+ ')
+
-+ allow $1 auditd_t:process { ptrace signal_perms };
++ allow $1 auditd_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, auditd_t, auditd_t)
++
+ # Allow $1 to restart the apache service
+ audit_script_domtrans($1)
-+ domain_role_change_exemption($1)
+ domain_system_change_exemption($1)
-+ domain_obj_id_change_exemption($1)
+ role_transition $2 audit_script_exec_t system_r;
+ allow $2 system_r;
+
@@ -11068,14 +11068,14 @@
+ type var_log_t;
+ ')
+
-+ allow $1 syslogd_t:process { ptrace signal_perms };
-+ allow $1 klogd_t:process { ptrace signal_perms };
++ allow $1 syslogd_t:process { ptrace signal_perms getattr };
++ allow $1 klogd_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, syslogd_t, syslogd_t)
++ read_files_pattern($1, klogd_t, klogd_t)
+
+ # Allow $1 to restart the apache service
+ syslog_script_domtrans($1)
-+ domain_role_change_exemption($1)
+ domain_system_change_exemption($1)
-+ domain_obj_id_change_exemption($1)
+ role_transition $2 syslog_script_exec_t system_r;
+ allow $2 system_r;
+
@@ -12585,7 +12585,16 @@
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.7/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/userdomain.if 2007-09-04 16:56:00.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/system/userdomain.if 2007-09-05 22:07:53.000000000 -0400
+@@ -45,7 +45,7 @@
+ type $1_tty_device_t;
+ term_user_tty($1_t,$1_tty_device_t)
+
+- allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession };
++ allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
+ allow $1_t self:fd use;
+ allow $1_t self:fifo_file rw_fifo_file_perms;
+ allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -62,6 +62,10 @@
allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
@@ -14025,7 +14034,7 @@
+## <summary>Policy for webadm user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.te serefpolicy-3.0.7/policy/modules/users/webadm.te
--- nsaserefpolicy/policy/modules/users/webadm.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/policy/modules/users/webadm.te 2007-08-31 15:27:24.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/users/webadm.te 2007-09-05 21:49:04.000000000 -0400
@@ -0,0 +1,42 @@
+policy_module(webadm,1.0.0)
+
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.513
retrieving revision 1.514
diff -u -r1.513 -r1.514
--- selinux-policy.spec 5 Sep 2007 21:30:18 -0000 1.513
+++ selinux-policy.spec 6 Sep 2007 02:24:18 -0000 1.514
@@ -194,8 +194,8 @@
%if %{BUILD_TARGETED}
# Build targeted policy
# Commented out because only targeted ref policy currently builds
-%setupCmds targeted mcs n y
-%installCmds targeted mcs n y
+%setupCmds targeted mcs y y
+%installCmds targeted mcs y y
%endif
%if %{BUILD_MLS}
@@ -207,8 +207,8 @@
%if %{BUILD_OLPC}
# Build targeted policy
# Commented out because only targeted ref policy currently builds
-%setupCmds olpc mcs n y
-%installCmds olpc mcs n y
+%setupCmds olpc mcs y y
+%installCmds olpc mcs y y
%endif
make NAME=targeted TYPE=targeted-mcs DISTRO=%{distro} DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs
More information about the scm-commits
mailing list