rpms/selinux-policy/F-9 policy-20071130.patch,1.145,1.146
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Tue May 13 17:54:56 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv16361
Modified Files:
policy-20071130.patch
Log Message:
* Tue May 13 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-51
- Dontaudit dhcpc_t reading of domains state
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.145
retrieving revision 1.146
diff -u -r1.145 -r1.146
--- policy-20071130.patch 13 May 2008 17:13:51 -0000 1.145
+++ policy-20071130.patch 13 May 2008 17:54:17 -0000 1.146
@@ -7658,7 +7658,16 @@
type power_device_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.3.1/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2008-02-26 08:23:11.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/domain.if 2008-05-08 11:06:31.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/domain.if 2008-05-13 13:38:39.972337000 -0400
+@@ -525,7 +525,7 @@
+ ')
+
+ kernel_search_proc($1)
+- allow $1 domain:dir search;
++ allow $1 domain:dir search_dir_perms;
+ ')
+
+ ########################################
@@ -1242,18 +1242,34 @@
## </summary>
## </param>
@@ -16067,7 +16076,7 @@
+/etc/rc.d/init.d/innd -- gen_context(system_u:object_r:innd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.if serefpolicy-3.3.1/policy/modules/services/inn.if
--- nsaserefpolicy/policy/modules/services/inn.if 2008-02-26 08:23:10.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/inn.if 2008-05-08 11:06:32.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/inn.if 2008-05-13 13:17:17.445562000 -0400
@@ -54,8 +54,7 @@
')
@@ -28114,7 +28123,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.3.1/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/authlogin.te 2008-05-13 11:38:07.156366000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/authlogin.te 2008-05-13 13:28:27.718483000 -0400
@@ -59,6 +59,9 @@
type utempter_exec_t;
application_domain(utempter_t,utempter_exec_t)
@@ -28154,7 +28163,7 @@
+userdom_dontaudit_read_unpriv_users_home_content_files(pam_t)
+userdom_dontaudit_write_user_home_content_files(user, pam_t)
+userdom_append_unpriv_users_home_content_files(pam_t)
-+userdom_dontaudit_read_user_tmp_files(pam_t)
++userdom_dontaudit_read_user_tmp_files(user, pam_t)
+
ifdef(`distro_ubuntu',`
optional_policy(`
@@ -29005,7 +29014,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.3.1/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/iptables.te 2008-05-13 11:32:48.185915000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/iptables.te 2008-05-13 13:30:19.934979000 -0400
@@ -48,6 +48,7 @@
fs_getattr_xattr_fs(iptables_t)
@@ -29019,7 +29028,7 @@
logging_send_syslog_msg(iptables_t)
# system-config-network appends to /var/log
-#logging_append_system_logs(iptables_t)
-+logging_append_system_logs(iptables_t)
++logging_append_all_logs(iptables_t)
miscfiles_read_localization(iptables_t)
@@ -31096,7 +31105,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.3.1/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.te 2008-05-08 11:06:33.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.te 2008-05-13 13:39:13.704983000 -0400
@@ -75,7 +75,6 @@
type restorecond_exec_t;
init_daemon_domain(restorecond_t,restorecond_exec_t)
@@ -31320,7 +31329,22 @@
kernel_read_system_state(setfiles_t)
kernel_relabelfrom_unlabeled_dirs(setfiles_t)
kernel_relabelfrom_unlabeled_files(setfiles_t)
-@@ -555,9 +530,13 @@
+@@ -544,20 +519,25 @@
+ kernel_rw_pipes(setfiles_t)
+ kernel_rw_unix_dgram_sockets(setfiles_t)
+ kernel_dontaudit_list_all_proc(setfiles_t)
+-kernel_dontaudit_list_all_sysctls(setfiles_t)
++kernel_read_all_sysctls(setfiles_t)
++kernel_read_network_state_symlinks(setfiles_t)
+
+ dev_relabel_all_dev_nodes(setfiles_t)
+
+ domain_use_interactive_fds(setfiles_t)
+-domain_dontaudit_search_all_domains_state(setfiles_t)
+-
++domain_read_all_domains_state(setfiles_t)
++
+ files_read_etc_runtime_files(setfiles_t)
files_read_etc_files(setfiles_t)
files_list_all(setfiles_t)
files_relabel_all_files(setfiles_t)
@@ -31334,7 +31358,7 @@
fs_search_auto_mountpoints(setfiles_t)
fs_relabelfrom_noxattr_fs(setfiles_t)
-@@ -572,9 +551,7 @@
+@@ -572,9 +552,7 @@
selinux_compute_relabel_context(setfiles_t)
selinux_compute_user_contexts(setfiles_t)
@@ -31345,7 +31369,7 @@
# this is to satisfy the assertion:
auth_relabelto_shadow(setfiles_t)
-@@ -617,16 +594,8 @@
+@@ -617,16 +595,8 @@
')
')
@@ -31787,8 +31811,8 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.3.1/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/unconfined.fc 2008-05-08 11:06:33.000000000 -0400
-@@ -2,15 +2,18 @@
++++ serefpolicy-3.3.1/policy/modules/system/unconfined.fc 2008-05-13 13:33:13.866883000 -0400
+@@ -2,15 +2,16 @@
# e.g.:
# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
@@ -31806,8 +31830,6 @@
')
+/usr/bin/rhythmbox -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-+/usr/sbin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
-+/usr/bin/livecd-creator -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
+/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
+/usr/lib64/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/lib/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
More information about the scm-commits
mailing list