rpms/selinux-policy/F-9 policy-20071130.patch, 1.138, 1.139 selinux-policy.spec, 1.662, 1.663
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Wed May 7 19:13:03 UTC 2008
- Previous message: rpms/selinux-policy/devel policy-20071130.patch, 1.136, 1.137 selinux-policy.spec, 1.660, 1.661
- Next message: rpms/asunder/devel .cvsignore, 1.4, 1.5 asunder.spec, 1.3, 1.4 sources, 1.4, 1.5
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv32034
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Wed May 7 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-48
- Allow amanada to create data files
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.138
retrieving revision 1.139
diff -u -r1.138 -r1.139
--- policy-20071130.patch 6 May 2008 20:42:41 -0000 1.138
+++ policy-20071130.patch 7 May 2008 19:12:27 -0000 1.139
@@ -1399,6 +1399,19 @@
#
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-3.3.1/policy/modules/admin/amanda.te
+--- nsaserefpolicy/policy/modules/admin/amanda.te 2008-02-26 08:23:10.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/admin/amanda.te 2008-05-07 13:40:42.000000000 -0400
+@@ -82,8 +82,7 @@
+ allow amanda_t amanda_config_t:file { getattr read };
+
+ # access to amandas data structure
+-allow amanda_t amanda_data_t:dir { read search write };
+-allow amanda_t amanda_data_t:file manage_file_perms;
++manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
+
+ # access to amanda_dumpdates_t
+ allow amanda_t amanda_dumpdates_t:file { getattr lock read write };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.3.1/policy/modules/admin/anaconda.te
--- nsaserefpolicy/policy/modules/admin/anaconda.te 2008-02-26 08:23:10.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/admin/anaconda.te 2008-05-06 14:02:43.000000000 -0400
@@ -5711,8 +5724,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-05-06 14:02:43.000000000 -0400
-@@ -0,0 +1,198 @@
++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-05-07 10:42:53.000000000 -0400
+@@ -0,0 +1,201 @@
+
+policy_module(nsplugin,1.0.0)
+
@@ -5788,6 +5801,8 @@
+dev_read_rand(nsplugin_t)
+dev_read_sound(nsplugin_t)
+dev_write_sound(nsplugin_t)
++dev_read_video_dev(nsplugin_t)
++dev_write_video_dev(nsplugin_t)
+
+kernel_read_kernel_sysctls(nsplugin_t)
+kernel_read_system_state(nsplugin_t)
@@ -5824,6 +5839,7 @@
+userdom_manage_user_tmp_sockets(user,nsplugin_t)
+userdom_tmp_filetrans_user_tmp(user,nsplugin_t, { file dir sock_file })
+userdom_read_user_tmpfs_files(user,nsplugin_t)
++userdom_rw_unpriv_user_semaphores(nsplugin_t)
+
+userdom_read_user_home_content_symlinks(user, nsplugin_t)
+userdom_read_user_home_content_files(user, nsplugin_t)
@@ -7098,7 +7114,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.3.1/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2008-02-26 08:23:12.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/devices.if 2008-05-06 14:08:38.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/devices.if 2008-05-07 10:37:38.000000000 -0400
@@ -65,7 +65,7 @@
relabelfrom_dirs_pattern($1,device_t,device_node)
@@ -8822,7 +8838,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.3.1/policy/modules/services/amavis.te
--- nsaserefpolicy/policy/modules/services/amavis.te 2008-02-26 08:23:10.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/amavis.te 2008-05-06 14:02:43.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/amavis.te 2008-05-07 06:38:24.000000000 -0400
@@ -13,7 +13,7 @@
# configuration files
@@ -9496,7 +9512,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.3.1/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2008-02-26 08:23:10.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-05-06 16:40:13.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-05-07 14:22:10.000000000 -0400
@@ -20,6 +20,8 @@
# Declarations
#
@@ -19633,7 +19649,7 @@
# Local Policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.3.1/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2008-02-26 08:23:10.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/postfix.te 2008-05-06 14:02:43.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/postfix.te 2008-05-07 06:40:55.000000000 -0400
@@ -6,6 +6,14 @@
# Declarations
#
@@ -19677,7 +19693,17 @@
type postfix_map_tmp_t;
files_tmp_file(postfix_map_tmp_t)
-@@ -99,6 +112,7 @@
+@@ -80,6 +93,9 @@
+ type postfix_public_t;
+ files_type(postfix_public_t)
+
++type postfix_var_lib_t;
++files_type(postfix_var_lib_t)
++
+ type postfix_var_run_t;
+ files_pid_file(postfix_var_run_t)
+
+@@ -99,6 +115,7 @@
allow postfix_master_t self:fifo_file rw_fifo_file_perms;
allow postfix_master_t self:tcp_socket create_stream_socket_perms;
allow postfix_master_t self:udp_socket create_socket_perms;
@@ -19685,7 +19711,18 @@
allow postfix_master_t postfix_etc_t:file rw_file_perms;
-@@ -174,6 +188,7 @@
+@@ -122,6 +139,10 @@
+
+ domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
+
++manage_dirs_pattern(postfix_master_t,postfix_var_lib_t,postfix_var_lib_t)
++manage_files_pattern(postfix_master_t,postfix_var_lib_t,postfix_var_lib_t)
++files_search_var_lib(postfix_master_t)
++
+ # allow access to deferred queue and allow removing bogus incoming entries
+ manage_dirs_pattern(postfix_master_t,postfix_spool_t,postfix_spool_t)
+ manage_files_pattern(postfix_master_t,postfix_spool_t,postfix_spool_t)
+@@ -174,6 +195,7 @@
mta_rw_aliases(postfix_master_t)
mta_read_sendmail_bin(postfix_master_t)
@@ -19693,7 +19730,7 @@
optional_policy(`
cyrus_stream_connect(postfix_master_t)
-@@ -248,6 +263,10 @@
+@@ -248,6 +270,10 @@
corecmd_exec_bin(postfix_cleanup_t)
@@ -19704,7 +19741,7 @@
########################################
#
# Postfix local local policy
-@@ -273,18 +292,25 @@
+@@ -273,18 +299,25 @@
files_read_etc_files(postfix_local_t)
@@ -19730,7 +19767,7 @@
')
optional_policy(`
-@@ -295,8 +321,7 @@
+@@ -295,8 +328,7 @@
#
# Postfix map local policy
#
@@ -19740,7 +19777,7 @@
allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
allow postfix_map_t self:unix_dgram_socket create_socket_perms;
allow postfix_map_t self:tcp_socket create_stream_socket_perms;
-@@ -346,8 +371,6 @@
+@@ -346,8 +378,6 @@
miscfiles_read_localization(postfix_map_t)
@@ -19749,7 +19786,7 @@
tunable_policy(`read_default_t',`
files_list_default(postfix_map_t)
files_read_default_files(postfix_map_t)
-@@ -360,6 +383,11 @@
+@@ -360,6 +390,11 @@
locallogin_dontaudit_use_fds(postfix_map_t)
')
@@ -19761,7 +19798,7 @@
########################################
#
# Postfix pickup local policy
-@@ -384,6 +412,7 @@
+@@ -384,6 +419,7 @@
#
allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
@@ -19769,7 +19806,7 @@
write_sock_files_pattern(postfix_pipe_t,postfix_private_t,postfix_private_t)
-@@ -391,6 +420,12 @@
+@@ -391,6 +427,12 @@
rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t)
@@ -19782,7 +19819,7 @@
optional_policy(`
procmail_domtrans(postfix_pipe_t)
')
-@@ -400,6 +435,10 @@
+@@ -400,6 +442,10 @@
')
optional_policy(`
@@ -19793,7 +19830,7 @@
uucp_domtrans_uux(postfix_pipe_t)
')
-@@ -532,9 +571,6 @@
+@@ -532,9 +578,6 @@
# connect to master process
stream_connect_pattern(postfix_smtpd_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
@@ -19803,7 +19840,7 @@
# for prng_exch
allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
-@@ -557,6 +593,10 @@
+@@ -557,6 +600,10 @@
sasl_connect(postfix_smtpd_t)
')
@@ -19814,7 +19851,7 @@
########################################
#
# Postfix virtual local policy
-@@ -572,7 +612,7 @@
+@@ -572,7 +619,7 @@
files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir })
# connect to master process
@@ -27877,7 +27914,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.3.1/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/authlogin.te 2008-05-06 14:02:43.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/authlogin.te 2008-05-07 14:02:18.000000000 -0400
@@ -59,6 +59,9 @@
type utempter_exec_t;
application_domain(utempter_t,utempter_exec_t)
@@ -28089,7 +28126,7 @@
-
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.3.1/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/init.if 2008-05-06 14:02:43.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/init.if 2008-05-07 10:57:02.000000000 -0400
@@ -211,6 +211,13 @@
kernel_dontaudit_use_fds($1)
')
@@ -28756,7 +28793,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.3.1/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/iptables.te 2008-05-06 14:02:43.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/iptables.te 2008-05-07 08:53:39.000000000 -0400
@@ -48,6 +48,7 @@
fs_getattr_xattr_fs(iptables_t)
@@ -28765,6 +28802,14 @@
mls_file_read_all_levels(iptables_t)
+@@ -113,3 +114,7 @@
+ optional_policy(`
+ udev_read_db(iptables_t)
+ ')
++
++optional_policy(`
++ unconfined_rw_stream_sockets(iptables_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.3.1/policy/modules/system/iscsi.te
--- nsaserefpolicy/policy/modules/system/iscsi.te 2008-02-26 08:23:09.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/system/iscsi.te 2008-05-06 14:02:43.000000000 -0400
@@ -28982,7 +29027,7 @@
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.3.1/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/logging.fc 2008-05-06 14:02:43.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/logging.fc 2008-05-07 14:09:20.000000000 -0400
@@ -4,6 +4,8 @@
/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
@@ -28992,7 +29037,15 @@
/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
-@@ -46,7 +48,7 @@
+@@ -36,6 +38,7 @@
+ /var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+ /var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
+ /var/log/syslog-ng(/.*)? -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
++/var/lib/syslog-ng(/.*)? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
+
+ ifndef(`distro_gentoo',`
+ /var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
+@@ -46,7 +49,7 @@
')
/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0)
@@ -29001,7 +29054,7 @@
/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0)
/var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,s0)
/var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0)
-@@ -57,3 +59,8 @@
+@@ -57,3 +60,8 @@
/var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
@@ -30525,7 +30578,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.3.1/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.if 2008-05-06 14:02:43.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.if 2008-05-07 10:50:23.000000000 -0400
@@ -215,8 +215,6 @@
seutil_domtrans_newrole($1)
role $2 types newrole_t;
@@ -30666,7 +30719,7 @@
## Full management of the semanage
## module store.
## </summary>
-@@ -1141,3 +1215,140 @@
+@@ -1141,3 +1215,141 @@
selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1)
')
@@ -30772,6 +30825,7 @@
+ files_read_usr_files($1)
+ files_list_pids($1)
+ fs_list_inotifyfs($1)
++ fs_getattr_all_fs($1)
+
+ mls_file_write_all_levels($1)
+ mls_file_read_all_levels($1)
@@ -31097,6 +31151,15 @@
selinux_compute_access_vector(setrans_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.3.1/policy/modules/system/sysnetwork.fc
+--- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2008-02-26 08:23:10.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.fc 2008-05-07 10:59:24.000000000 -0400
+@@ -57,3 +57,5 @@
+ ifdef(`distro_gentoo',`
+ /var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
+ ')
++
++/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.3.1/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2008-02-26 08:23:09.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.if 2008-05-06 14:02:43.000000000 -0400
@@ -31198,8 +31261,19 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.3.1/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.te 2008-05-06 14:02:43.000000000 -0400
-@@ -45,7 +45,7 @@
++++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.te 2008-05-07 10:58:33.000000000 -0400
+@@ -20,6 +20,10 @@
+ init_daemon_domain(dhcpc_t,dhcpc_exec_t)
+ role system_r types dhcpc_t;
+
++type dhcpc_helper_exec_t;
++domain_entry_file(dhcpc_helper_exec_t)
++init_script_domtrans_spec(dhcpc_t, dhcpc_helper_exec_t)
++
+ type dhcpc_state_t;
+ files_type(dhcpc_state_t)
+
+@@ -45,7 +49,7 @@
dontaudit dhcpc_t self:capability sys_tty_config;
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
@@ -31208,7 +31282,7 @@
allow dhcpc_t self:fifo_file rw_file_perms;
allow dhcpc_t self:tcp_socket create_stream_socket_perms;
allow dhcpc_t self:udp_socket create_socket_perms;
-@@ -123,7 +123,7 @@
+@@ -123,7 +127,7 @@
files_read_etc_runtime_files(dhcpc_t)
files_search_home(dhcpc_t)
files_search_var_lib(dhcpc_t)
@@ -31217,7 +31291,7 @@
init_rw_utmp(dhcpc_t)
-@@ -136,6 +136,7 @@
+@@ -136,6 +140,7 @@
modutils_domtrans_insmod(dhcpc_t)
@@ -31225,7 +31299,7 @@
userdom_dontaudit_search_staff_home_dirs(dhcpc_t)
ifdef(`distro_redhat', `
-@@ -153,11 +154,19 @@
+@@ -153,11 +158,19 @@
')
optional_policy(`
@@ -31245,7 +31319,7 @@
optional_policy(`
networkmanager_dbus_chat(dhcpc_t)
')
-@@ -186,6 +195,10 @@
+@@ -186,6 +199,10 @@
')
optional_policy(`
@@ -31256,7 +31330,7 @@
nis_use_ypbind(dhcpc_t)
nis_signal_ypbind(dhcpc_t)
nis_read_ypbind_pid(dhcpc_t)
-@@ -202,9 +215,7 @@
+@@ -202,9 +219,7 @@
')
optional_policy(`
@@ -31267,7 +31341,7 @@
')
optional_policy(`
-@@ -215,6 +226,7 @@
+@@ -215,6 +230,7 @@
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
@@ -31275,7 +31349,7 @@
')
optional_policy(`
-@@ -226,6 +238,10 @@
+@@ -226,6 +242,10 @@
')
optional_policy(`
@@ -31286,7 +31360,7 @@
kernel_read_xen_state(dhcpc_t)
kernel_write_xen_state(dhcpc_t)
xen_append_log(dhcpc_t)
-@@ -239,7 +255,6 @@
+@@ -239,7 +259,6 @@
allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow ifconfig_t self:capability { net_raw net_admin sys_tty_config };
@@ -31294,7 +31368,7 @@
allow ifconfig_t self:fd use;
allow ifconfig_t self:fifo_file rw_fifo_file_perms;
-@@ -253,6 +268,7 @@
+@@ -253,6 +272,7 @@
allow ifconfig_t self:sem create_sem_perms;
allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
@@ -31302,7 +31376,7 @@
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
-@@ -268,7 +284,10 @@
+@@ -268,7 +288,10 @@
kernel_read_system_state(ifconfig_t)
kernel_read_network_state(ifconfig_t)
kernel_search_network_sysctl(ifconfig_t)
@@ -31313,7 +31387,7 @@
corenet_rw_tun_tap_dev(ifconfig_t)
-@@ -279,8 +298,11 @@
+@@ -279,8 +302,11 @@
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
@@ -31325,7 +31399,7 @@
domain_use_interactive_fds(ifconfig_t)
-@@ -308,7 +330,7 @@
+@@ -308,7 +334,7 @@
unconfined_domain(ifconfig_t)
')
')
@@ -31334,7 +31408,7 @@
ifdef(`hide_broken_symptoms',`
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
-@@ -332,6 +354,14 @@
+@@ -332,6 +358,14 @@
')
optional_policy(`
@@ -32179,7 +32253,7 @@
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-05-06 14:02:43.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-05-07 10:42:29.000000000 -0400
@@ -29,9 +29,14 @@
')
@@ -34151,7 +34225,32 @@
## </summary>
## </param>
#
-@@ -4231,11 +4404,11 @@
+@@ -3962,6 +4135,24 @@
+
+ ########################################
+ ## <summary>
++## RW unpriviledged user SysV sempaphores.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_rw_unpriv_user_semaphores',`
++ gen_require(`
++ attribute unpriv_userdomain;
++ ')
++
++ allow $1 unpriv_userdomain:sem rw_sem_perms;
++')
++
++########################################
++## <summary>
+ ## Manage unpriviledged user SysV shared
+ ## memory segments.
+ ## </summary>
+@@ -4231,11 +4422,11 @@
#
interface(`userdom_search_staff_home_dirs',`
gen_require(`
@@ -34165,7 +34264,7 @@
')
########################################
-@@ -4251,10 +4424,10 @@
+@@ -4251,10 +4442,10 @@
#
interface(`userdom_dontaudit_search_staff_home_dirs',`
gen_require(`
@@ -34178,7 +34277,7 @@
')
########################################
-@@ -4270,11 +4443,11 @@
+@@ -4270,11 +4461,11 @@
#
interface(`userdom_manage_staff_home_dirs',`
gen_require(`
@@ -34192,7 +34291,7 @@
')
########################################
-@@ -4289,16 +4462,16 @@
+@@ -4289,16 +4480,16 @@
#
interface(`userdom_relabelto_staff_home_dirs',`
gen_require(`
@@ -34212,7 +34311,7 @@
## users home directory.
## </summary>
## <param name="domain">
-@@ -4307,12 +4480,35 @@
+@@ -4307,12 +4498,35 @@
## </summary>
## </param>
#
@@ -34251,7 +34350,7 @@
')
########################################
-@@ -4327,13 +4523,13 @@
+@@ -4327,13 +4541,13 @@
#
interface(`userdom_read_staff_home_content_files',`
gen_require(`
@@ -34269,7 +34368,7 @@
')
########################################
-@@ -4531,10 +4727,10 @@
+@@ -4531,10 +4745,10 @@
#
interface(`userdom_getattr_sysadm_home_dirs',`
gen_require(`
@@ -34282,7 +34381,7 @@
')
########################################
-@@ -4551,10 +4747,10 @@
+@@ -4551,10 +4765,10 @@
#
interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
gen_require(`
@@ -34295,7 +34394,7 @@
')
########################################
-@@ -4569,10 +4765,10 @@
+@@ -4569,10 +4783,10 @@
#
interface(`userdom_search_sysadm_home_dirs',`
gen_require(`
@@ -34308,7 +34407,7 @@
')
########################################
-@@ -4588,10 +4784,10 @@
+@@ -4588,10 +4802,10 @@
#
interface(`userdom_dontaudit_search_sysadm_home_dirs',`
gen_require(`
@@ -34321,7 +34420,7 @@
')
########################################
-@@ -4606,10 +4802,10 @@
+@@ -4606,10 +4820,10 @@
#
interface(`userdom_list_sysadm_home_dirs',`
gen_require(`
@@ -34334,7 +34433,7 @@
')
########################################
-@@ -4625,10 +4821,10 @@
+@@ -4625,10 +4839,10 @@
#
interface(`userdom_dontaudit_list_sysadm_home_dirs',`
gen_require(`
@@ -34347,7 +34446,7 @@
')
########################################
-@@ -4644,12 +4840,11 @@
+@@ -4644,12 +4858,11 @@
#
interface(`userdom_dontaudit_read_sysadm_home_content_files',`
gen_require(`
@@ -34363,7 +34462,7 @@
')
########################################
-@@ -4676,10 +4871,10 @@
+@@ -4676,10 +4889,10 @@
#
interface(`userdom_sysadm_home_dir_filetrans',`
gen_require(`
@@ -34376,7 +34475,7 @@
')
########################################
-@@ -4694,10 +4889,10 @@
+@@ -4694,10 +4907,10 @@
#
interface(`userdom_search_sysadm_home_content_dirs',`
gen_require(`
@@ -34389,7 +34488,7 @@
')
########################################
-@@ -4712,13 +4907,13 @@
+@@ -4712,13 +4925,13 @@
#
interface(`userdom_read_sysadm_home_content_files',`
gen_require(`
@@ -34407,7 +34506,7 @@
')
########################################
-@@ -4754,11 +4949,49 @@
+@@ -4754,11 +4967,49 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -34458,7 +34557,7 @@
')
########################################
-@@ -4778,6 +5011,14 @@
+@@ -4778,6 +5029,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -34473,7 +34572,7 @@
')
########################################
-@@ -4839,6 +5080,26 @@
+@@ -4839,6 +5098,26 @@
########################################
## <summary>
@@ -34500,7 +34599,7 @@
## Create, read, write, and delete all directories
## in all users home directories.
## </summary>
-@@ -4859,6 +5120,25 @@
+@@ -4859,6 +5138,25 @@
########################################
## <summary>
@@ -34526,7 +34625,7 @@
## Create, read, write, and delete all files
## in all users home directories.
## </summary>
-@@ -4879,6 +5159,26 @@
+@@ -4879,6 +5177,26 @@
########################################
## <summary>
@@ -34553,7 +34652,7 @@
## Create, read, write, and delete all symlinks
## in all users home directories.
## </summary>
-@@ -5115,7 +5415,7 @@
+@@ -5115,7 +5433,7 @@
#
interface(`userdom_relabelto_generic_user_home_dirs',`
gen_require(`
@@ -34562,7 +34661,7 @@
')
files_search_home($1)
-@@ -5304,6 +5604,63 @@
+@@ -5304,6 +5622,63 @@
########################################
## <summary>
@@ -34626,7 +34725,7 @@
## Create, read, write, and delete directories in
## unprivileged users home directories.
## </summary>
-@@ -5509,7 +5866,7 @@
+@@ -5509,7 +5884,7 @@
########################################
## <summary>
@@ -34635,7 +34734,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -5517,18 +5874,17 @@
+@@ -5517,12 +5892,48 @@
## </summary>
## </param>
#
@@ -34648,60 +34747,11 @@
- allow $1 user_ttynode:chr_file rw_term_perms;
+ manage_files_pattern($1, user_tmp_t, user_tmp_t)
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to use unprivileged
--## user ttys.
++')
++
++########################################
++## <summary>
+## Write all unprivileged users lnk_files in /tmp
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5536,17 +5892,17 @@
- ## </summary>
- ## </param>
- #
--interface(`userdom_dontaudit_use_unpriv_users_ttys',`
-+interface(`userdom_manage_unpriv_users_tmp_symlinks',`
- gen_require(`
-- attribute user_ttynode;
-+ type user_tmp_t;
- ')
-
-- dontaudit $1 user_ttynode:chr_file rw_file_perms;
-+ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
- ')
-
- ########################################
- ## <summary>
--## Read the process state of all user domains.
-+## Read and write unprivileged user ttys.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5554,19 +5910,56 @@
- ## </summary>
- ## </param>
- #
--interface(`userdom_read_all_users_state',`
-+interface(`userdom_use_unpriv_users_ttys',`
- gen_require(`
-- attribute userdomain;
-+ attribute user_ttynode;
- ')
-
-- read_files_pattern($1,userdomain,userdomain)
-- kernel_search_proc($1)
-+ allow $1 user_ttynode:chr_file rw_term_perms;
- ')
-
- ########################################
- ## <summary>
--## Get the attributes of all user domains.
--## </summary>
-+## Do not audit attempts to use unprivileged
-+## user ttys.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -34709,17 +34759,17 @@
+## </summary>
+## </param>
+#
-+interface(`userdom_dontaudit_use_unpriv_users_ttys',`
++interface(`userdom_manage_unpriv_users_tmp_symlinks',`
+ gen_require(`
-+ attribute user_ttynode;
++ type user_tmp_t;
+ ')
+
-+ dontaudit $1 user_ttynode:chr_file rw_file_perms;
++ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
+')
+
+########################################
+## <summary>
-+## Read the process state of all user domains.
++## Read and write unprivileged user ttys.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -34727,23 +34777,25 @@
+## </summary>
+## </param>
+#
-+interface(`userdom_read_all_users_state',`
++interface(`userdom_use_unpriv_users_ttys',`
+ gen_require(`
-+ attribute userdomain;
++ attribute user_ttynode;
+ ')
+
++ allow $1 user_ttynode:chr_file rw_term_perms;
+ ')
+
+ ########################################
+@@ -5559,7 +5970,7 @@
+ attribute userdomain;
+ ')
+
+- read_files_pattern($1,userdomain,userdomain)
+ ps_process_pattern($1,userdomain)
-+ kernel_search_proc($1)
-+')
-+
-+########################################
-+## <summary>
-+## Get the attributes of all user domains.
-+## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
-@@ -5674,6 +6067,42 @@
+ kernel_search_proc($1)
+ ')
+
+@@ -5674,6 +6085,42 @@
########################################
## <summary>
@@ -34786,7 +34838,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5704,3 +6133,408 @@
+@@ -5704,3 +6151,408 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/selinux-policy.spec,v
retrieving revision 1.662
retrieving revision 1.663
diff -u -r1.662 -r1.663
--- selinux-policy.spec 6 May 2008 17:03:33 -0000 1.662
+++ selinux-policy.spec 7 May 2008 19:12:27 -0000 1.663
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 45%{?dist}
+Release: 48%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -288,9 +288,9 @@
%post targeted
if [ $1 -eq 1 ]; then
%loadpolicy targeted
-semanage user -a -S targeted -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u 2> /dev/null
-semanage login -m -S targeted -P user -s "unconfined_u" -r s0-s0:c0.c1023 __default__ 2> /dev/null
-semanage login -m -S targeted -P user -s "unconfined_u" -r s0-s0:c0.c1023 root 2> /dev/null
+semanage user -a -S targeted -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u
+semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 __default__
+semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 root
semanage user -a -S targeted -P user -R guest_r guest_u
semanage user -a -S targeted -P user -R xguest_r xguest_u
restorecon -R /root /var/log /var/run 2> /dev/null
@@ -385,6 +385,15 @@
%endif
%changelog
+* Wed May 7 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-48
+- Allow amanada to create data files
+
+* Wed May 7 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-47
+- Fix initial install, semanage setup
+
+* Tue May 6 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-46
+- Allow system_r for httpd_unconfined_script_t
+
* Wed Apr 30 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-45
- Remove dmesg boolean
- Allow user domains to read/write game data
- Previous message: rpms/selinux-policy/devel policy-20071130.patch, 1.136, 1.137 selinux-policy.spec, 1.660, 1.661
- Next message: rpms/asunder/devel .cvsignore, 1.4, 1.5 asunder.spec, 1.3, 1.4 sources, 1.4, 1.5
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list