rpms/selinux-policy/devel policy-20071130.patch, 1.121, 1.122 selinux-policy.spec, 1.649, 1.650
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Thu Apr 10 14:38:10 UTC 2008
- Previous message: rpms/xorg-x11-server/devel xserver-1.5.0-selinux-off-by-default.patch, NONE, 1.1
- Next message: rpms/rott/devel rott-1.0-debian.patch, NONE, 1.1 rott.6, NONE, 1.1 rott-1.0-64bit.patch, 1.1, 1.2 rott.spec, 1.4, 1.5
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv22355
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Thu Apr 10 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-32
- Label /var/run/gdm correctly
- Fix unconfined_u user creation
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.121
retrieving revision 1.122
diff -u -r1.121 -r1.122
--- policy-20071130.patch 8 Apr 2008 20:14:36 -0000 1.121
+++ policy-20071130.patch 10 Apr 2008 14:37:57 -0000 1.122
@@ -5572,8 +5572,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-04-08 13:28:42.000000000 -0400
-@@ -0,0 +1,188 @@
++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-04-10 08:50:50.000000000 -0400
+@@ -0,0 +1,189 @@
+
+policy_module(nsplugin,1.0.0)
+
@@ -5716,6 +5716,7 @@
+ xserver_stream_connect_xdm_xserver(nsplugin_t)
+ xserver_xdm_rw_shm(nsplugin_t)
+ xserver_read_xdm_tmp_files(nsplugin_t)
++ xserver_read_xdm_pid(nsplugin_t)
+ xserver_read_user_xauth(user, nsplugin_t)
+ xserver_use_user_fonts(user, nsplugin_t)
+')
@@ -18715,7 +18716,7 @@
# Local Policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.3.1/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/postfix.te 2008-04-04 12:06:55.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/postfix.te 2008-04-09 08:18:34.000000000 -0400
@@ -6,6 +6,14 @@
# Declarations
#
@@ -18777,7 +18778,7 @@
########################################
#
# Postfix local local policy
-@@ -273,6 +292,8 @@
+@@ -273,18 +292,25 @@
files_read_etc_files(postfix_local_t)
@@ -18786,8 +18787,10 @@
mta_read_aliases(postfix_local_t)
mta_delete_spool(postfix_local_t)
# For reading spamassasin
-@@ -280,11 +301,14 @@
+ mta_read_config(postfix_local_t)
++domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t)
++
optional_policy(`
clamav_search_lib(postfix_local_t)
+ clamav_exec_clamscan(postfix_local_t)
@@ -18801,7 +18804,7 @@
')
optional_policy(`
-@@ -295,8 +319,7 @@
+@@ -295,8 +321,7 @@
#
# Postfix map local policy
#
@@ -18811,7 +18814,7 @@
allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
allow postfix_map_t self:unix_dgram_socket create_socket_perms;
allow postfix_map_t self:tcp_socket create_stream_socket_perms;
-@@ -346,8 +369,6 @@
+@@ -346,8 +371,6 @@
miscfiles_read_localization(postfix_map_t)
@@ -18820,7 +18823,7 @@
tunable_policy(`read_default_t',`
files_list_default(postfix_map_t)
files_read_default_files(postfix_map_t)
-@@ -360,6 +381,11 @@
+@@ -360,6 +383,11 @@
locallogin_dontaudit_use_fds(postfix_map_t)
')
@@ -18832,18 +18835,28 @@
########################################
#
# Postfix pickup local policy
-@@ -392,6 +418,10 @@
+@@ -384,6 +412,7 @@
+ #
+
+ allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
++allow postfix_pipe_t self:process setrlimit;
+
+ write_sock_files_pattern(postfix_pipe_t,postfix_private_t,postfix_private_t)
+
+@@ -391,6 +420,12 @@
+
rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t)
- optional_policy(`
++domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
++
++optional_policy(`
+ dovecot_domtrans_deliver(postfix_pipe_t)
+')
+
-+optional_policy(`
+ optional_policy(`
procmail_domtrans(postfix_pipe_t)
')
-
-@@ -400,6 +430,10 @@
+@@ -400,6 +435,10 @@
')
optional_policy(`
@@ -18854,7 +18867,7 @@
uucp_domtrans_uux(postfix_pipe_t)
')
-@@ -532,9 +566,6 @@
+@@ -532,9 +571,6 @@
# connect to master process
stream_connect_pattern(postfix_smtpd_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
@@ -18864,7 +18877,7 @@
# for prng_exch
allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
-@@ -557,6 +588,10 @@
+@@ -557,6 +593,10 @@
sasl_connect(postfix_smtpd_t)
')
@@ -18875,7 +18888,7 @@
########################################
#
# Postfix virtual local policy
-@@ -584,3 +619,4 @@
+@@ -584,3 +624,4 @@
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -19629,7 +19642,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.3.1/policy/modules/services/privoxy.te
--- nsaserefpolicy/policy/modules/services/privoxy.te 2008-02-15 09:52:56.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/privoxy.te 2008-04-04 12:06:55.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/privoxy.te 2008-04-09 08:37:52.000000000 -0400
@@ -19,6 +19,9 @@
type privoxy_var_run_t;
files_pid_file(privoxy_var_run_t)
@@ -19640,6 +19653,14 @@
########################################
#
# Local Policy
+@@ -50,6 +53,7 @@
+ corenet_tcp_connect_http_port(privoxy_t)
+ corenet_tcp_connect_http_cache_port(privoxy_t)
+ corenet_tcp_connect_ftp_port(privoxy_t)
++corenet_tcp_connect_pgpkeyserver_port(privoxy_t)
+ corenet_tcp_connect_tor_port(privoxy_t)
+ corenet_sendrecv_http_cache_client_packets(privoxy_t)
+ corenet_sendrecv_http_cache_server_packets(privoxy_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.fc serefpolicy-3.3.1/policy/modules/services/procmail.fc
--- nsaserefpolicy/policy/modules/services/procmail.fc 2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/procmail.fc 2008-04-04 12:06:55.000000000 -0400
@@ -24203,7 +24224,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.3.1/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2007-10-15 16:11:05.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.fc 2008-04-04 12:06:56.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/xserver.fc 2008-04-08 16:39:13.000000000 -0400
@@ -1,13 +1,13 @@
#
# HOME_DIR
@@ -24246,7 +24267,7 @@
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
/usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
-@@ -89,16 +84,21 @@
+@@ -89,16 +84,22 @@
/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
@@ -24262,6 +24283,7 @@
/var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
++/var/run/gdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
@@ -24272,7 +24294,7 @@
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-04-04 12:06:56.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-04-10 08:50:38.000000000 -0400
@@ -12,9 +12,15 @@
## </summary>
## </param>
@@ -25469,6 +25491,15 @@
')
########################################
+@@ -932,7 +1547,7 @@
+ ')
+
+ files_search_pids($1)
+- allow $1 xdm_var_run_t:file read_file_perms;
++ read_files_pattern($1, xdm_var_run_t, xdm_var_run_t)
+ ')
+
+ ########################################
@@ -955,6 +1570,24 @@
########################################
@@ -35193,7 +35224,7 @@
+define(`manage_key_perms', `{ create link read search setattr view write } ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.3.1/policy/users
--- nsaserefpolicy/policy/users 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.3.1/policy/users 2008-04-04 18:04:09.000000000 -0400
++++ serefpolicy-3.3.1/policy/users 2008-04-10 10:33:42.000000000 -0400
@@ -16,7 +16,7 @@
# and a user process should never be assigned the system user
# identity.
@@ -35203,20 +35234,20 @@
#
# user_u is a generic user identity for Linux users who have no
-@@ -26,12 +26,9 @@
+@@ -26,11 +26,8 @@
# permit any access to such users, then remove this entry.
#
gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
-+gen_user(staff_u, staff, staff_r system_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
- gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
+-gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
+-
-# Until order dependence is fixed for users:
-gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
--
++gen_user(staff_u, user, staff_r system_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
++gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
#
# The following users correspond to Unix identities.
- # These identities are typically assigned as the user attribute
@@ -39,8 +36,4 @@
# role should use the staff_r role instead of the user_r role when
# not in the sysadm_r.
@@ -35226,7 +35257,7 @@
-',`
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
-')
-+gen_user(root, unconfined, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
++gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.3.1/Rules.modular
--- nsaserefpolicy/Rules.modular 2007-12-19 05:32:18.000000000 -0500
+++ serefpolicy-3.3.1/Rules.modular 2008-04-04 12:06:56.000000000 -0400
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.649
retrieving revision 1.650
diff -u -r1.649 -r1.650
--- selinux-policy.spec 8 Apr 2008 20:14:36 -0000 1.649
+++ selinux-policy.spec 10 Apr 2008 14:37:57 -0000 1.650
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 31%{?dist}
+Release: 32%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -244,8 +244,6 @@
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
-# SETLOCALDEFS= Check local definition changes
-SETLOCALDEFS=0
" > /etc/selinux/config
@@ -257,8 +255,6 @@
[ -f /etc/selinux/${SELINUXTYPE}/booleans.local ] && mv /etc/selinux/${SELINUXTYPE}/booleans.local /etc/selinux/targeted/modules/active/
[ -f /etc/selinux/${SELINUXTYPE}/seusers ] && cp -f /etc/selinux/${SELINUXTYPE}/seusers /etc/selinux/${SELINUXTYPE}/modules/active/seusers
grep -q "^SETLOCALDEFS" /etc/selinux/config || echo -n "
-# SETLOCALDEFS= Check local definition changes
-SETLOCALDEFS=0
">> /etc/selinux/config
fi
@@ -292,11 +288,11 @@
%post targeted
if [ $1 -eq 1 ]; then
%loadpolicy targeted
-semanage user -a -S targeted -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u 2> /dev/null
-semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 __default__ 2> /dev/null
-semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 root 2> /dev/null
-semanage user -a -S targeted -R guest_r guest_u
-semanage user -a -S targeted -R xguest_r xguest_u
+semanage user -a -S targeted -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u 2> /dev/null
+semanage login -m -S targeted -P user -s "unconfined_u" -r s0-s0:c0.c1023 __default__ 2> /dev/null
+semanage login -m -S targeted -P user -s "unconfined_u" -r s0-s0:c0.c1023 root 2> /dev/null
+semanage user -a -S targeted -P user -R guest_r guest_u
+semanage user -a -S targeted -P user -R xguest_r xguest_u
restorecon -R /root /var/log /var/run 2> /dev/null
else
semodule -s targeted -r moilscanner 2>/dev/null
@@ -312,7 +308,7 @@
if [ $? -eq 0 ]; then
semanage user -m -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u 2> /dev/null
else
- semanage user -a -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u 2> /dev/null
+ semanage user -a -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u 2> /dev/null
fi
seuser=`semanage login -l | grep __default__ | awk '{ print $2 }'`
[ $seuser == "system_u" ] && semanage login -m -s "unconfined_u" -r s0-s0:c0.c1023 __default__
@@ -387,6 +383,10 @@
%endif
%changelog
+* Thu Apr 10 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-32
+- Label /var/run/gdm correctly
+- Fix unconfined_u user creation
+
* Tue Apr 8 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-31
- Allow transition from initrc_t to getty_t
- Previous message: rpms/xorg-x11-server/devel xserver-1.5.0-selinux-off-by-default.patch, NONE, 1.1
- Next message: rpms/rott/devel rott-1.0-debian.patch, NONE, 1.1 rott.6, NONE, 1.1 rott-1.0-64bit.patch, 1.1, 1.2 rott.spec, 1.4, 1.5
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list