rpms/selinux-policy/devel policy-20070703.patch, 1.46, 1.47 selinux-policy.spec, 1.513, 1.514

Daniel J Walsh (dwalsh) fedora-extras-commits at redhat.com
Thu Sep 6 02:24:21 UTC 2007 

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv31897

Modified Files:
	policy-20070703.patch selinux-policy.spec 
Log Message:
* Tue Aug 28 2007 Dan Walsh <dwalsh at redhat.com> 3.0.7-3
- Allow sendmail to create etc_aliases_t


policy-20070703.patch:

Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20070703.patch,v
retrieving revision 1.46
retrieving revision 1.47
diff -u -r1.46 -r1.47
--- policy-20070703.patch	5 Sep 2007 21:30:18 -0000	1.46
+++ policy-20070703.patch	6 Sep 2007 02:24:18 -0000	1.47
@@ -3164,7 +3164,7 @@
 +/etc/rc\.d/init\.d/httpd	--	gen_context(system_u:object_r:httpd_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.0.7/policy/modules/services/apache.if
 --- nsaserefpolicy/policy/modules/services/apache.if	2007-08-22 07:14:07.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/apache.if	2007-09-05 07:16:31.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/services/apache.if	2007-09-05 22:22:33.000000000 -0400
 @@ -18,10 +18,6 @@
  		attribute httpd_script_exec_type;
  		type httpd_t, httpd_suexec_t, httpd_log_t;
@@ -3409,7 +3409,7 @@
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1013,46 +1047,143 @@
+@@ -1013,46 +1047,141 @@
  ##	</summary>
  ## </param>
  #
@@ -3554,8 +3554,6 @@
 +	# Allow $1 to restart the apache service
 +	apache_script_domtrans($1)
 +	domain_system_change_exemption($1)
-+	domain_role_change_exemption($1)
-+	domain_obj_id_change_exemption($1)
 +	role_transition $2 httpd_script_exec_t system_r;
 +	allow $2 system_r;
 +
@@ -6184,8 +6182,8 @@
 +/etc/rc\.d/init\.d/mysqld	--	gen_context(system_u:object_r:mysqld_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.0.7/policy/modules/services/mysql.if
 --- nsaserefpolicy/policy/modules/services/mysql.if	2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/mysql.if	2007-09-04 16:56:14.000000000 -0400
-@@ -157,3 +157,80 @@
++++ serefpolicy-3.0.7/policy/modules/services/mysql.if	2007-09-05 22:11:26.000000000 -0400
+@@ -157,3 +157,79 @@
  	logging_search_logs($1)
  	allow $1 mysqld_log_t:file { write append setattr ioctl };
  ')
@@ -6241,13 +6239,12 @@
 +		type mysqld_script_exec_t;
 +	')
 +
-+	allow $1 mysqld_t:process { ptrace signal_perms };
++	allow $1 mysqld_t:process { ptrace signal_perms getattr };
++	read_files_pattern($1, mysqld_t, mysqld_t)
 +	
 +	# Allow $1 to restart the apache service
 +	mysql_script_domtrans($1)
-+	domain_role_change_exemption($1)
 +	domain_system_change_exemption($1)
-+	domain_obj_id_change_exemption($1)
 +	role_transition $2 mysqld_script_exec_t system_r;
 +	allow $2 system_r;
 +
@@ -7324,8 +7321,8 @@
 +/etc/rc\.d/init\.d/postgresql	--	gen_context(system_u:object_r:postgresql_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.0.7/policy/modules/services/postgresql.if
 --- nsaserefpolicy/policy/modules/services/postgresql.if	2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/postgresql.if	2007-09-05 15:13:11.000000000 -0400
-@@ -113,3 +113,78 @@
++++ serefpolicy-3.0.7/policy/modules/services/postgresql.if	2007-09-05 22:13:10.000000000 -0400
+@@ -113,3 +113,77 @@
          # Some versions of postgresql put the sock file in /tmp
  	allow $1 postgresql_tmp_t:sock_file write;
  ')
@@ -7379,13 +7376,12 @@
 +		type postgresql_log_t;
 +	')
 +
-+	allow $1 postgresql_t:process { ptrace signal_perms };
++	allow $1 postgresql_t:process { ptrace signal_perms getattr };
++	read_files_pattern($1, postgresql_t, postgresql_t)
 +
 +	# Allow $1 to restart the apache service
 +	postgresql_script_domtrans($1)
 +	domain_system_change_exemption($1)
-+	domain_role_change_exemption($1)
-+	domain_obj_id_change_exemption($1)
 +	role_transition $2 postgresql_script_exec_t system_r;
 +	allow $2 system_r;
 +
@@ -10347,7 +10343,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.0.7/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2007-08-22 07:14:12.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/init.te	2007-09-04 12:01:50.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/system/init.te	2007-09-05 22:21:18.000000000 -0400
 @@ -10,6 +10,20 @@
  # Declarations
  #
@@ -10418,7 +10414,7 @@
  
  manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t)
  manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t)
-@@ -496,6 +511,39 @@
+@@ -496,6 +511,43 @@
  ')
  
  optional_policy(`
@@ -10449,8 +10445,12 @@
 +
 +	tunable_policy(`allow_daemons_use_tty',`
 +		unconfined_use_terminals(daemon)
++		term_use_all_user_ttys(daemon)
++		term_use_all_user_ptys(daemon)
 + 	', `
 +		unconfined_dontaudit_use_terminals(daemon)
++		term_dontaudit_use_all_user_ttys(daemon)
++		term_dontaudit_use_all_user_ptys(daemon)
 + 	')
 +')
 + 
@@ -10458,7 +10458,7 @@
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
  ')
-@@ -631,12 +679,6 @@
+@@ -631,12 +683,6 @@
  	mta_read_config(initrc_t)
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
@@ -10471,7 +10471,7 @@
  
  optional_policy(`
  	ifdef(`distro_redhat',`
-@@ -702,6 +744,9 @@
+@@ -702,6 +748,9 @@
  
  	# why is this needed:
  	rpm_manage_db(initrc_t)
@@ -10720,7 +10720,7 @@
 +/etc/rc\.d/init\.d/auditd	--	gen_context(system_u:object_r:auditd_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.0.7/policy/modules/system/logging.if
 --- nsaserefpolicy/policy/modules/system/logging.if	2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/logging.if	2007-09-04 17:01:26.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/system/logging.if	2007-09-05 22:22:05.000000000 -0400
 @@ -33,8 +33,13 @@
  ## </param>
  #
@@ -11014,12 +11014,12 @@
 +		type auditd_var_run_t;
 +	')
 +
-+	allow $1 auditd_t:process { ptrace signal_perms };
++	allow $1 auditd_t:process { ptrace signal_perms getattr };
++	read_files_pattern($1, auditd_t, auditd_t)
++
 +	# Allow $1 to restart the apache service
 +	audit_script_domtrans($1)
-+	domain_role_change_exemption($1)
 +	domain_system_change_exemption($1)
-+	domain_obj_id_change_exemption($1)
 +	role_transition $2 audit_script_exec_t system_r;
 +	allow $2 system_r;
 +
@@ -11068,14 +11068,14 @@
 +		type var_log_t;
 +	')
 +
-+	allow $1 syslogd_t:process { ptrace signal_perms };
-+	allow $1 klogd_t:process { ptrace signal_perms };
++	allow $1 syslogd_t:process { ptrace signal_perms getattr };
++	allow $1 klogd_t:process { ptrace signal_perms getattr };
++	read_files_pattern($1, syslogd_t, syslogd_t)
++	read_files_pattern($1, klogd_t, klogd_t)
 +
 +	# Allow $1 to restart the apache service
 +	syslog_script_domtrans($1)
-+	domain_role_change_exemption($1)
 +	domain_system_change_exemption($1)
-+	domain_obj_id_change_exemption($1)
 +	role_transition $2 syslog_script_exec_t system_r;
 +	allow $2 system_r;
 +
@@ -12585,7 +12585,16 @@
  /tmp/gconfd-USER -d	gen_context(system_u:object_r:ROLE_tmp_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.7/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-08-27 09:18:17.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/userdomain.if	2007-09-04 16:56:00.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/system/userdomain.if	2007-09-05 22:07:53.000000000 -0400
+@@ -45,7 +45,7 @@
+ 	type $1_tty_device_t; 
+ 	term_user_tty($1_t,$1_tty_device_t)
+ 
+-	allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession };
++	allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
+ 	allow $1_t self:fd use;
+ 	allow $1_t self:fifo_file rw_fifo_file_perms;
+ 	allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
 @@ -62,6 +62,10 @@
  
  	allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
@@ -14025,7 +14034,7 @@
 +## <summary>Policy for webadm user</summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.te serefpolicy-3.0.7/policy/modules/users/webadm.te
 --- nsaserefpolicy/policy/modules/users/webadm.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/policy/modules/users/webadm.te	2007-08-31 15:27:24.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/users/webadm.te	2007-09-05 21:49:04.000000000 -0400
 @@ -0,0 +1,42 @@
 +policy_module(webadm,1.0.0)
 +


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.513
retrieving revision 1.514
diff -u -r1.513 -r1.514
--- selinux-policy.spec	5 Sep 2007 21:30:18 -0000	1.513
+++ selinux-policy.spec	6 Sep 2007 02:24:18 -0000	1.514
@@ -194,8 +194,8 @@
 %if %{BUILD_TARGETED}
 # Build targeted policy
 # Commented out because only targeted ref policy currently builds
-%setupCmds targeted mcs n y
-%installCmds targeted mcs n y
+%setupCmds targeted mcs y y
+%installCmds targeted mcs y y
 %endif
 
 %if %{BUILD_MLS}
@@ -207,8 +207,8 @@
 %if %{BUILD_OLPC}
 # Build targeted policy
 # Commented out because only targeted ref policy currently builds
-%setupCmds olpc mcs n y
-%installCmds olpc mcs n y
+%setupCmds olpc mcs y y
+%installCmds olpc mcs y y
 %endif
 
 make NAME=targeted TYPE=targeted-mcs DISTRO=%{distro} DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs

More information about the scm-commits mailing list