rpms/selinux-policy/F-9 policy-20071130.patch,1.145,1.146

Daniel J Walsh (dwalsh) fedora-extras-commits at redhat.com
Tue May 13 17:54:56 UTC 2008 

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv16361

Modified Files:
	policy-20071130.patch 
Log Message:
* Tue May 13 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-51
- Dontaudit dhcpc_t reading of domains state 


policy-20071130.patch:

Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.145
retrieving revision 1.146
diff -u -r1.145 -r1.146
--- policy-20071130.patch	13 May 2008 17:13:51 -0000	1.145
+++ policy-20071130.patch	13 May 2008 17:54:17 -0000	1.146
@@ -7658,7 +7658,16 @@
  type power_device_t;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.3.1/policy/modules/kernel/domain.if
 --- nsaserefpolicy/policy/modules/kernel/domain.if	2008-02-26 08:23:11.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/domain.if	2008-05-08 11:06:31.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/domain.if	2008-05-13 13:38:39.972337000 -0400
+@@ -525,7 +525,7 @@
+ 	')
+ 
+ 	kernel_search_proc($1)
+-	allow $1 domain:dir search;
++	allow $1 domain:dir search_dir_perms;
+ ')
+ 
+ ########################################
 @@ -1242,18 +1242,34 @@
  ##	</summary>
  ## </param>
@@ -16067,7 +16076,7 @@
 +/etc/rc.d/init.d/innd		--	gen_context(system_u:object_r:innd_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.if serefpolicy-3.3.1/policy/modules/services/inn.if
 --- nsaserefpolicy/policy/modules/services/inn.if	2008-02-26 08:23:10.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/inn.if	2008-05-08 11:06:32.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/inn.if	2008-05-13 13:17:17.445562000 -0400
 @@ -54,8 +54,7 @@
  	')
  
@@ -28114,7 +28123,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.3.1/policy/modules/system/authlogin.te
 --- nsaserefpolicy/policy/modules/system/authlogin.te	2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/authlogin.te	2008-05-13 11:38:07.156366000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/authlogin.te	2008-05-13 13:28:27.718483000 -0400
 @@ -59,6 +59,9 @@
  type utempter_exec_t;
  application_domain(utempter_t,utempter_exec_t)
@@ -28154,7 +28163,7 @@
 +userdom_dontaudit_read_unpriv_users_home_content_files(pam_t)
 +userdom_dontaudit_write_user_home_content_files(user, pam_t)
 +userdom_append_unpriv_users_home_content_files(pam_t)
-+userdom_dontaudit_read_user_tmp_files(pam_t)
++userdom_dontaudit_read_user_tmp_files(user, pam_t)
 +
  ifdef(`distro_ubuntu',`
  	optional_policy(`
@@ -29005,7 +29014,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.3.1/policy/modules/system/iptables.te
 --- nsaserefpolicy/policy/modules/system/iptables.te	2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/iptables.te	2008-05-13 11:32:48.185915000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/iptables.te	2008-05-13 13:30:19.934979000 -0400
 @@ -48,6 +48,7 @@
  
  fs_getattr_xattr_fs(iptables_t)
@@ -29019,7 +29028,7 @@
  logging_send_syslog_msg(iptables_t)
  # system-config-network appends to /var/log
 -#logging_append_system_logs(iptables_t)
-+logging_append_system_logs(iptables_t)
++logging_append_all_logs(iptables_t)
  
  miscfiles_read_localization(iptables_t)
  
@@ -31096,7 +31105,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.3.1/policy/modules/system/selinuxutil.te
 --- nsaserefpolicy/policy/modules/system/selinuxutil.te	2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.te	2008-05-08 11:06:33.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.te	2008-05-13 13:39:13.704983000 -0400
 @@ -75,7 +75,6 @@
  type restorecond_exec_t;
  init_daemon_domain(restorecond_t,restorecond_exec_t)
@@ -31320,7 +31329,22 @@
  kernel_read_system_state(setfiles_t)
  kernel_relabelfrom_unlabeled_dirs(setfiles_t)
  kernel_relabelfrom_unlabeled_files(setfiles_t)
-@@ -555,9 +530,13 @@
+@@ -544,20 +519,25 @@
+ kernel_rw_pipes(setfiles_t)
+ kernel_rw_unix_dgram_sockets(setfiles_t)
+ kernel_dontaudit_list_all_proc(setfiles_t)
+-kernel_dontaudit_list_all_sysctls(setfiles_t)
++kernel_read_all_sysctls(setfiles_t)
++kernel_read_network_state_symlinks(setfiles_t)
+ 
+ dev_relabel_all_dev_nodes(setfiles_t)
+ 
+ domain_use_interactive_fds(setfiles_t)
+-domain_dontaudit_search_all_domains_state(setfiles_t)
+-
++domain_read_all_domains_state(setfiles_t)
++ 
+ files_read_etc_runtime_files(setfiles_t)
  files_read_etc_files(setfiles_t)
  files_list_all(setfiles_t)
  files_relabel_all_files(setfiles_t)
@@ -31334,7 +31358,7 @@
  fs_search_auto_mountpoints(setfiles_t)
  fs_relabelfrom_noxattr_fs(setfiles_t)
  
-@@ -572,9 +551,7 @@
+@@ -572,9 +552,7 @@
  selinux_compute_relabel_context(setfiles_t)
  selinux_compute_user_contexts(setfiles_t)
  
@@ -31345,7 +31369,7 @@
  
  # this is to satisfy the assertion:
  auth_relabelto_shadow(setfiles_t)
-@@ -617,16 +594,8 @@
+@@ -617,16 +595,8 @@
  	')
  ')
  
@@ -31787,8 +31811,8 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.3.1/policy/modules/system/unconfined.fc
 --- nsaserefpolicy/policy/modules/system/unconfined.fc	2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/unconfined.fc	2008-05-08 11:06:33.000000000 -0400
-@@ -2,15 +2,18 @@
++++ serefpolicy-3.3.1/policy/modules/system/unconfined.fc	2008-05-13 13:33:13.866883000 -0400
+@@ -2,15 +2,16 @@
  # e.g.:
  # /usr/local/bin/appsrv		--	gen_context(system_u:object_r:unconfined_exec_t,s0)
  # For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
@@ -31806,8 +31830,6 @@
  ')
 +/usr/bin/rhythmbox		    --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 +/usr/bin/sbcl			    --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-+/usr/sbin/mock			    --	gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
-+/usr/bin/livecd-creator		    --	gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
 +/usr/sbin/sysreport	 	    --	gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
 +/usr/lib64/erlang/erts-[^/]+/bin/beam.smp --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 +/usr/lib/erlang/erts-[^/]+/bin/beam.smp --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)

More information about the scm-commits mailing list