rpms/selinux-policy/F-9 policy-20071130.patch, 1.195, 1.196 selinux-policy.spec, 1.698, 1.699
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Tue Jul 29 20:55:33 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv27613
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Tue Jul 29 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-81
- Add boolean httpd_execmem
- Add dontaudit for leaky pam_nssldap
- Dontaudit ptrace of domains for staff_t
policy-20071130.patch:
View full diff with command:
/usr/bin/cvs -f diff -kk -u -N -r 1.195 -r 1.196 policy-20071130.patch
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.195
retrieving revision 1.196
diff -u -r1.195 -r1.196
--- policy-20071130.patch 25 Jul 2008 01:35:46 -0000 1.195
+++ policy-20071130.patch 29 Jul 2008 20:55:03 -0000 1.196
@@ -3102,8 +3102,8 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te
--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te 2008-07-15 14:02:51.000000000 -0400
-@@ -26,8 +26,10 @@
++++ serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te 2008-07-28 08:40:30.000000000 -0400
+@@ -26,8 +26,12 @@
files_read_etc_files(tmpreaper_t)
files_read_var_lib_files(tmpreaper_t)
files_purge_tmp(tmpreaper_t)
@@ -3111,10 +3111,12 @@
# why does it need setattr?
files_setattr_all_tmp_dirs(tmpreaper_t)
+files_getattr_lost_found_dirs(tmpreaper_t)
++files_getattr_all_dirs(tmpreaper_t)
++files_getattr_all_files(tmpreaper_t)
mls_file_read_all_levels(tmpreaper_t)
mls_file_write_all_levels(tmpreaper_t)
-@@ -42,6 +44,26 @@
+@@ -42,6 +46,26 @@
cron_system_entry(tmpreaper_t,tmpreaper_exec_t)
@@ -5118,7 +5120,7 @@
+/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.3.1/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/apps/mozilla.if 2008-07-17 10:52:13.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/apps/mozilla.if 2008-07-28 08:49:10.000000000 -0400
@@ -35,7 +35,10 @@
template(`mozilla_per_role_template',`
gen_require(`
@@ -5271,7 +5273,15 @@
# Browse the web, connect to printer
corenet_all_recvfrom_unlabeled($1_mozilla_t)
-@@ -151,6 +193,7 @@
+@@ -139,7 +181,6 @@
+ corenet_tcp_connect_http_cache_port($1_mozilla_t)
+ corenet_tcp_connect_ftp_port($1_mozilla_t)
+ corenet_tcp_connect_ipp_port($1_mozilla_t)
+- corenet_tcp_connect_generic_port($1_mozilla_t)
+ corenet_sendrecv_http_client_packets($1_mozilla_t)
+ corenet_sendrecv_http_cache_client_packets($1_mozilla_t)
+ corenet_sendrecv_ftp_client_packets($1_mozilla_t)
+@@ -151,6 +192,7 @@
dev_read_urand($1_mozilla_t)
dev_read_rand($1_mozilla_t)
@@ -5279,7 +5289,7 @@
dev_write_sound($1_mozilla_t)
dev_read_sound($1_mozilla_t)
dev_dontaudit_rw_dri($1_mozilla_t)
-@@ -165,13 +208,28 @@
+@@ -165,13 +207,28 @@
files_read_var_files($1_mozilla_t)
files_read_var_symlinks($1_mozilla_t)
files_dontaudit_getattr_boot_dirs($1_mozilla_t)
@@ -5308,7 +5318,7 @@
libs_use_ld_so($1_mozilla_t)
libs_use_shared_libs($1_mozilla_t)
-@@ -180,18 +238,10 @@
+@@ -180,18 +237,10 @@
miscfiles_read_fonts($1_mozilla_t)
miscfiles_read_localization($1_mozilla_t)
@@ -5330,7 +5340,7 @@
xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t)
xserver_dontaudit_getattr_xdm_tmp_sockets($1_mozilla_t)
-@@ -211,131 +261,8 @@
+@@ -211,131 +260,8 @@
fs_manage_cifs_symlinks($1_mozilla_t)
')
@@ -5464,7 +5474,7 @@
')
optional_policy(`
-@@ -350,57 +277,58 @@
+@@ -350,57 +276,58 @@
optional_policy(`
cups_read_rw_config($1_mozilla_t)
cups_dbus_chat($1_mozilla_t)
@@ -5547,7 +5557,7 @@
')
########################################
-@@ -430,11 +358,11 @@
+@@ -430,11 +357,11 @@
#
template(`mozilla_read_user_home_files',`
gen_require(`
@@ -5562,7 +5572,7 @@
')
########################################
-@@ -464,11 +392,10 @@
+@@ -464,11 +391,10 @@
#
template(`mozilla_write_user_home_files',`
gen_require(`
@@ -5576,7 +5586,7 @@
')
########################################
-@@ -573,3 +500,27 @@
+@@ -573,3 +499,27 @@
allow $2 $1_mozilla_t:tcp_socket rw_socket_perms;
')
@@ -5819,8 +5829,8 @@
+HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:user_nsplugin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.3.1/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.if 2008-07-15 14:02:51.000000000 -0400
-@@ -0,0 +1,353 @@
++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.if 2008-07-29 16:19:53.000000000 -0400
+@@ -0,0 +1,356 @@
+
+## <summary>policy for nsplugin</summary>
+
@@ -5995,6 +6005,9 @@
+ allow nsplugin_t $2:unix_stream_socket connectto;
+ dontaudit nsplugin_t $2:process ptrace;
+
++ # Connect to pulseaudit server
++ stream_connect_pattern(nsplugin_t, user_home_t, user_home_t, $2)
++
+ allow nsplugin_t $1_tmpfs_t:file { read getattr };
+ allow $2 nsplugin_t:process { getattr ptrace signal_perms };
+ allow $2 nsplugin_t:unix_stream_socket connectto;
@@ -6176,8 +6189,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-07-15 14:02:51.000000000 -0400
-@@ -0,0 +1,211 @@
++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-07-29 13:22:00.000000000 -0400
+@@ -0,0 +1,227 @@
+
+policy_module(nsplugin,1.0.0)
+
@@ -6331,6 +6344,7 @@
+ xserver_read_xdm_pid(nsplugin_t)
+ xserver_read_user_xauth(user, nsplugin_t)
+ xserver_use_user_fonts(user, nsplugin_t)
++ xserver_manage_home_fonts(nsplugin_t)
+')
+
+########################################
@@ -6347,6 +6361,10 @@
+fs_list_inotifyfs(nsplugin_config_t)
+
+can_exec(nsplugin_config_t, nsplugin_rw_t)
++manage_dirs_pattern(nsplugin_config_t, user_nsplugin_home_t, user_nsplugin_home_t)
++manage_files_pattern(nsplugin_config_t, user_nsplugin_home_t, user_nsplugin_home_t)
++manage_lnk_files_pattern(nsplugin_config_t, user_nsplugin_home_t, user_nsplugin_home_t)
++
+manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+manage_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+manage_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
@@ -6363,6 +6381,7 @@
+files_read_etc_files(nsplugin_config_t)
+files_read_usr_files(nsplugin_config_t)
+files_dontaudit_search_home(nsplugin_config_t)
++files_list_tmp(nsplugin_config_t)
+
+auth_use_nsswitch(nsplugin_config_t)
+
@@ -6377,14 +6396,24 @@
+
+
+tunable_policy(`use_nfs_home_dirs',`
-+ fs_search_nfs(nsplugin_config_t)
++ fs_manage_nfs_dirs(nsplugin_t)
++ fs_manage_nfs_files(nsplugin_t)
++ fs_manage_nfs_dirs(nsplugin_config_t)
++ fs_manage_nfs_files(nsplugin_config_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
-+ fs_search_cifs(nsplugin_config_t)
++ fs_manage_cifs_dirs(nsplugin_t)
++ fs_manage_cifs_files(nsplugin_t)
++ fs_manage_cifs_dirs(nsplugin_config_t)
++ fs_manage_cifs_files(nsplugin_config_t)
+')
+
[...1810 lines suppressed...]
- ## </param>
- #
--interface(`userdom_manage_unpriv_users_home_content_files',`
-+interface(`userdom_dontaudit_read_unpriv_users_home_content_files',`
- gen_require(`
- attribute user_home_dir_type, user_home_type;
- ')
-
- files_search_home($1)
-- manage_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
-+ dontaudit $1 user_home_type:dir list_dir_perms;
-+ dontaudit $1 user_home_type:file read_file_perms;
-+ dontaudit $1 user_home_type:file read_lnk_file_perms;
-+
-+ tunable_policy(`use_nfs_home_dirs',`
-+ fs_dontaudit_read_nfs_files($1)
-+ ')
-+
-+ tunable_policy(`use_samba_home_dirs',`
-+ fs_dontaudit_read_cifs_files($1)
-+ ')
- ')
-
- ########################################
- ## <summary>
--## Set the attributes of user ptys.
-+## Create, read, write, and delete directories in
-+## unprivileged users home directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5352,17 +5708,19 @@
- ## </summary>
- ## </param>
- #
--interface(`userdom_setattr_unpriv_users_ptys',`
-+interface(`userdom_manage_unpriv_users_home_content_dirs',`
- gen_require(`
-- attribute user_ptynode;
-+ attribute user_home_dir_type, user_home_type;
- ')
-
-- allow $1 user_ptynode:chr_file setattr;
-+ files_search_home($1)
-+ manage_dirs_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
- ')
-
- ########################################
- ## <summary>
--## Read and write unprivileged user ptys.
-+## Create, read, write, and delete files in
-+## unprivileged users home directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5370,14 +5728,51 @@
- ## </summary>
- ## </param>
- #
--interface(`userdom_use_unpriv_users_ptys',`
-+interface(`userdom_manage_unpriv_users_home_content_files',`
- gen_require(`
-- attribute user_ptynode;
-+ attribute user_home_dir_type, user_home_type;
- ')
-
-- term_search_ptys($1)
-- allow $1 user_ptynode:chr_file rw_file_perms;
--')
-+ files_search_home($1)
-+ manage_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
+')
+
+########################################
+## <summary>
-+## Set the attributes of user ptys.
++## dontaudit Read all unprivileged users home directory
++## files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -37235,36 +37466,31 @@
+## </summary>
+## </param>
+#
-+interface(`userdom_setattr_unpriv_users_ptys',`
++interface(`userdom_dontaudit_read_unpriv_users_home_content_files',`
+ gen_require(`
-+ attribute user_ptynode;
++ attribute user_home_dir_type, user_home_type;
+ ')
+
-+ allow $1 user_ptynode:chr_file setattr;
-+')
++ files_search_home($1)
++ dontaudit $1 user_home_type:dir list_dir_perms;
++ dontaudit $1 user_home_type:file read_file_perms;
++ dontaudit $1 user_home_type:file read_lnk_file_perms;
+
-+########################################
-+## <summary>
-+## Read and write unprivileged user ptys.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`userdom_use_unpriv_users_ptys',`
-+ gen_require(`
-+ attribute user_ptynode;
++ tunable_policy(`use_nfs_home_dirs',`
++ fs_dontaudit_read_nfs_files($1)
+ ')
+
-+ term_search_ptys($1)
-+ allow $1 user_ptynode:chr_file rw_file_perms;
++ tunable_policy(`use_samba_home_dirs',`
++ fs_dontaudit_read_cifs_files($1)
++ ')
+')
-
- ########################################
- ## <summary>
-@@ -5509,6 +5904,43 @@
++
++########################################
++## <summary>
+ ## Create, read, write, and delete directories in
+ ## unprivileged users home directories.
+ ## </summary>
+@@ -5509,6 +5939,43 @@
########################################
## <summary>
@@ -37308,7 +37534,7 @@
## Read and write unprivileged user ttys.
## </summary>
## <param name="domain">
-@@ -5559,7 +5991,7 @@
+@@ -5559,7 +6026,7 @@
attribute userdomain;
')
@@ -37317,7 +37543,7 @@
kernel_search_proc($1)
')
-@@ -5674,6 +6106,42 @@
+@@ -5674,6 +6141,42 @@
########################################
## <summary>
@@ -37360,7 +37586,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5704,3 +6172,408 @@
+@@ -5704,3 +6207,408 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -39077,14 +39303,15 @@
+## <summary>Policy for staff user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.te serefpolicy-3.3.1/policy/modules/users/staff.te
--- nsaserefpolicy/policy/modules/users/staff.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/staff.te 2008-07-15 14:02:52.000000000 -0400
-@@ -0,0 +1,29 @@
++++ serefpolicy-3.3.1/policy/modules/users/staff.te 2008-07-29 16:29:56.000000000 -0400
+@@ -0,0 +1,30 @@
+policy_module(staff,1.0.1)
+userdom_admin_login_user_template(staff)
+
+# only staff_r can change to sysadm_r
+userdom_role_change_template(staff, sysadm)
+userdom_dontaudit_use_sysadm_terms(staff_t)
++domain_dontaudit_ptrace_all_domains(staff_t)
+
+kernel_read_ring_buffer(staff_t)
+
@@ -39207,8 +39434,8 @@
+## <summary>Policy for xguest user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.te serefpolicy-3.3.1/policy/modules/users/xguest.te
--- nsaserefpolicy/policy/modules/users/xguest.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/xguest.te 2008-07-16 07:34:06.000000000 -0400
-@@ -0,0 +1,70 @@
++++ serefpolicy-3.3.1/policy/modules/users/xguest.te 2008-07-29 15:24:16.000000000 -0400
+@@ -0,0 +1,69 @@
+policy_module(xguest,1.0.1)
+
+## <desc>
@@ -39278,7 +39505,6 @@
+ bluetooth_dbus_chat(xguest_t)
+ ')
+')
-+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/file_patterns.spt serefpolicy-3.3.1/policy/support/file_patterns.spt
--- nsaserefpolicy/policy/support/file_patterns.spt 2008-06-12 23:38:01.000000000 -0400
+++ serefpolicy-3.3.1/policy/support/file_patterns.spt 2008-07-15 14:02:52.000000000 -0400
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/selinux-policy.spec,v
retrieving revision 1.698
retrieving revision 1.699
diff -u -r1.698 -r1.699
--- selinux-policy.spec 25 Jul 2008 01:35:47 -0000 1.698
+++ selinux-policy.spec 29 Jul 2008 20:55:03 -0000 1.699
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 80%{?dist}
+Release: 81%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -386,6 +386,11 @@
%endif
%changelog
+* Tue Jul 29 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-81
+- Add boolean httpd_execmem
+- Add dontaudit for leaky pam_nssldap
+- Dontaudit ptrace of domains for staff_t
+
* Thu Jul 24 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-80
- Allow system_crond_t to restart init scripts
- Allow dnsmasq to bind to any udp port
More information about the scm-commits
mailing list