rpms/selinux-policy/devel policy-20070703.patch, 1.54, 1.55 selinux-policy.spec, 1.520, 1.521

Daniel J Walsh (dwalsh) fedora-extras-commits at redhat.com
Tue Sep 11 20:05:42 UTC 2007 

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv30810

Modified Files:
	policy-20070703.patch selinux-policy.spec 
Log Message:
* Tue Sep 11 2007 Dan Walsh <dwalsh at redhat.com> 3.0.7-10
- Allow NetworkManager to dbus chat with yum-updated


policy-20070703.patch:

Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20070703.patch,v
retrieving revision 1.54
retrieving revision 1.55
diff -u -r1.54 -r1.55
--- policy-20070703.patch	11 Sep 2007 16:07:47 -0000	1.54
+++ policy-20070703.patch	11 Sep 2007 20:05:08 -0000	1.55
@@ -2814,7 +2814,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.0.7/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2007-07-03 07:05:38.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/kernel/files.if	2007-09-11 08:45:38.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/kernel/files.if	2007-09-11 14:40:00.000000000 -0400
 @@ -343,8 +343,7 @@
  
  ########################################
@@ -3289,7 +3289,7 @@
  optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.0.7/policy/modules/kernel/selinux.if
 --- nsaserefpolicy/policy/modules/kernel/selinux.if	2007-07-03 07:05:38.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/kernel/selinux.if	2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/kernel/selinux.if	2007-09-11 13:01:12.000000000 -0400
 @@ -138,6 +138,7 @@
  		type security_t;
  	')
@@ -6285,7 +6285,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.0.7/policy/modules/services/ftp.te
 --- nsaserefpolicy/policy/modules/services/ftp.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/ftp.te	2007-09-10 14:54:57.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/services/ftp.te	2007-09-11 14:32:19.000000000 -0400
 @@ -88,6 +88,7 @@
  allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
  allow ftpd_t self:tcp_socket create_stream_socket_perms;
@@ -6327,20 +6327,21 @@
  ')
  
  tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
-@@ -252,7 +264,9 @@
+@@ -252,7 +264,10 @@
  ')
  
  optional_policy(`
 +	kerberos_use(ftpd_t)
  	kerberos_read_keytab(ftpd_t)
 +	kerberos_manage_host_rcache(ftpd_t)
++	selinux_validate_context(ftpd_t)
  ')
  
  optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.0.7/policy/modules/services/hal.fc
 --- nsaserefpolicy/policy/modules/services/hal.fc	2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/hal.fc	2007-09-06 15:43:06.000000000 -0400
-@@ -8,9 +8,15 @@
++++ serefpolicy-3.0.7/policy/modules/services/hal.fc	2007-09-11 15:14:05.000000000 -0400
+@@ -8,9 +8,17 @@
  /usr/libexec/hald-addon-macbookpro-backlight --	gen_context(system_u:object_r:hald_mac_exec_t,s0)
  
  /usr/sbin/hald		--			gen_context(system_u:object_r:hald_exec_t,s0)
@@ -6356,6 +6357,8 @@
 +
 +/var/log/pm-suspend.log				gen_context(system_u:object_r:hald_log_t,s0)
 +
++/var/run/pm(/.*)?				gen_context(system_u:object_r:hald_var_run_t,s0)
++/var/log/pm(/.*)?				gen_context(system_u:object_r:hald_log_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.0.7/policy/modules/services/hal.if
 --- nsaserefpolicy/policy/modules/services/hal.if	2007-05-29 14:10:57.000000000 -0400
 +++ serefpolicy-3.0.7/policy/modules/services/hal.if	2007-09-06 15:43:06.000000000 -0400
@@ -7386,7 +7389,7 @@
  /var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.0.7/policy/modules/services/networkmanager.te
 --- nsaserefpolicy/policy/modules/services/networkmanager.te	2007-08-22 07:14:07.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/networkmanager.te	2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/services/networkmanager.te	2007-09-11 14:21:48.000000000 -0400
 @@ -20,7 +20,7 @@
  
  # networkmanager will ptrace itself if gdb is installed
@@ -7405,7 +7408,17 @@
  corenet_all_recvfrom_unlabeled(NetworkManager_t)
  corenet_all_recvfrom_netlabel(NetworkManager_t)
  corenet_tcp_sendrecv_all_if(NetworkManager_t)
-@@ -152,6 +154,11 @@
+@@ -136,6 +138,9 @@
+ 	dbus_system_bus_client_template(NetworkManager,NetworkManager_t)
+ 	dbus_connect_system_bus(NetworkManager_t)
+ 	dbus_send_system_bus(NetworkManager_t)
++	optional_policy(`
++		rpm_dbus_chat(NetworkManager_t)
++	')
+ ')
+ 
+ optional_policy(`
+@@ -152,6 +157,11 @@
  ')
  
  optional_policy(`
@@ -7417,7 +7430,7 @@
  	ppp_domtrans(NetworkManager_t)
  	ppp_read_pid_files(NetworkManager_t)
  	ppp_signal(NetworkManager_t)
-@@ -166,8 +173,10 @@
+@@ -166,8 +176,10 @@
  ')
  
  optional_policy(`
@@ -9669,7 +9682,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.0.7/policy/modules/services/setroubleshoot.te
 --- nsaserefpolicy/policy/modules/services/setroubleshoot.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/setroubleshoot.te	2007-09-11 11:09:25.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/services/setroubleshoot.te	2007-09-11 15:24:02.000000000 -0400
 @@ -33,7 +33,6 @@
  allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
  allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -9705,13 +9718,14 @@
  selinux_get_enforce_mode(setroubleshootd_t)
  selinux_validate_context(setroubleshootd_t)
  
-@@ -109,5 +114,7 @@
+@@ -109,5 +114,8 @@
  ')
  
  optional_policy(`
 -	nis_use_ypbind(setroubleshootd_t)
 +	dbus_system_bus_client_template(setroubleshootd, setroubleshootd_t)
 +	dbus_send_system_bus(setroubleshootd_t)
++	dbus_connect_system_bus(setroubleshootd_t)
  ')
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.0.7/policy/modules/services/snmp.fc
@@ -11302,8 +11316,8 @@
 +/usr/sbin/brctl		--	gen_context(system_u:object_r:brctl_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.if serefpolicy-3.0.7/policy/modules/system/brctl.if
 --- nsaserefpolicy/policy/modules/system/brctl.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/policy/modules/system/brctl.if	2007-09-06 15:43:06.000000000 -0400
-@@ -0,0 +1,25 @@
++++ serefpolicy-3.0.7/policy/modules/system/brctl.if	2007-09-11 14:23:37.000000000 -0400
+@@ -0,0 +1,43 @@
 +
 +## <summary>Utilities for configuring the linux ethernet bridge</summary>
 +
@@ -11329,6 +11343,24 @@
 +	allow brctl_t $1:fifo_file rw_file_perms;
 +	allow brctl_t $1:process sigchld;
 +')
++
++########################################
++## <summary>
++##	Get attributes brctl executable.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`brctl_getattr',`
++	gen_require(`
++		type brctl_exec_t;
++	')
++
++	allow $1 brctl_exec_t:file getattr;
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.te serefpolicy-3.0.7/policy/modules/system/brctl.te
 --- nsaserefpolicy/policy/modules/system/brctl.te	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.0.7/policy/modules/system/brctl.te	2007-09-10 08:59:32.000000000 -0400
@@ -15418,7 +15450,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.0.7/policy/modules/system/xen.te
 --- nsaserefpolicy/policy/modules/system/xen.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/xen.te	2007-09-07 08:48:47.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/system/xen.te	2007-09-11 14:25:59.000000000 -0400
 @@ -95,7 +95,7 @@
  read_lnk_files_pattern(xend_t,xen_image_t,xen_image_t)
  rw_blk_files_pattern(xend_t,xen_image_t,xen_image_t)
@@ -15428,7 +15460,13 @@
  dev_filetrans(xend_t, xenctl_t, fifo_file)
  
  manage_files_pattern(xend_t,xend_tmp_t,xend_tmp_t)
-@@ -126,7 +126,7 @@
+@@ -122,11 +122,13 @@
+ manage_fifo_files_pattern(xend_t,xend_var_lib_t,xend_var_lib_t)
+ files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir })
+ 
++init_stream_connect_script(xend_t)
++
+ # transition to store
  domain_auto_trans(xend_t, xenstored_exec_t, xenstored_t)
  allow xenstored_t xend_t:fd use;
  allow xenstored_t xend_t:process sigchld;
@@ -15437,7 +15475,7 @@
  
  # transition to console
  domain_auto_trans(xend_t, xenconsoled_exec_t, xenconsoled_t)
-@@ -176,6 +176,7 @@
+@@ -176,6 +178,7 @@
  files_manage_etc_runtime_files(xend_t)
  files_etc_filetrans_etc_runtime(xend_t,file)
  files_read_usr_files(xend_t)
@@ -15445,7 +15483,18 @@
  
  storage_raw_read_fixed_disk(xend_t)
  storage_raw_write_fixed_disk(xend_t)
-@@ -224,7 +225,7 @@
+@@ -214,6 +217,10 @@
+ netutils_domtrans(xend_t)
+ 
+ optional_policy(`
++	brctl_getattr(xend_t)
++')
++
++optional_policy(`
+ 	consoletype_exec(xend_t)
+ ')
+ 
+@@ -224,7 +231,7 @@
  
  allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
  allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
@@ -15454,7 +15503,7 @@
  
  allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
  
-@@ -257,7 +258,7 @@
+@@ -257,7 +264,7 @@
  
  miscfiles_read_localization(xenconsoled_t)
  
@@ -15463,7 +15512,7 @@
  xen_stream_connect_xenstore(xenconsoled_t)
  
  ########################################
-@@ -265,7 +266,7 @@
+@@ -265,7 +272,7 @@
  # Xen store local policy
  #
  
@@ -15472,7 +15521,7 @@
  allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
  allow xenstored_t self:unix_dgram_socket create_socket_perms;
  
-@@ -318,12 +319,13 @@
+@@ -318,12 +325,13 @@
  allow xm_t self:capability { dac_override ipc_lock sys_tty_config };
  
  # internal communication is often done using fifo and unix sockets.
@@ -15487,7 +15536,7 @@
  files_search_var_lib(xm_t)
  
  allow xm_t xen_image_t:dir rw_dir_perms;
-@@ -336,6 +338,7 @@
+@@ -336,6 +344,7 @@
  kernel_write_xen_state(xm_t)
  
  corecmd_exec_bin(xm_t)
@@ -15495,7 +15544,15 @@
  
  corenet_tcp_sendrecv_generic_if(xm_t)
  corenet_tcp_sendrecv_all_nodes(xm_t)
-@@ -366,3 +369,14 @@
+@@ -353,6 +362,7 @@
+ 
+ term_use_all_terms(xm_t)
+ 
++init_stream_connect_script(xm_t)
+ init_rw_script_stream_sockets(xm_t)
+ init_use_fds(xm_t)
+ 
+@@ -366,3 +376,14 @@
  xen_append_log(xm_t)
  xen_stream_connect(xm_t)
  xen_stream_connect_xenstore(xm_t)


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.520
retrieving revision 1.521
diff -u -r1.520 -r1.521
--- selinux-policy.spec	11 Sep 2007 16:07:47 -0000	1.520
+++ selinux-policy.spec	11 Sep 2007 20:05:08 -0000	1.521
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.7
-Release: 9%{?dist}
+Release: 10%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -362,6 +362,9 @@
 %endif
 
 %changelog
+* Tue Sep 11 2007 Dan Walsh <dwalsh at redhat.com> 3.0.7-10
+- Allow NetworkManager to dbus chat with yum-updated
+
 * Tue Sep 11 2007 Dan Walsh <dwalsh at redhat.com> 3.0.7-9
 - Allow xfs to bind to port 7100

More information about the scm-commits mailing list