rpms/selinux-policy/F-10 policy-20080710.patch, 1.96, 1.97 selinux-policy.spec, 1.748, 1.749
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Nov 14 16:08:52 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv16989
Modified Files:
policy-20080710.patch selinux-policy.spec
Log Message:
* Fri Nov 14 2008 Dan Walsh <dwalsh at redhat.com> 3.5.13-21
- Allow sambagui to use nsswitch
policy-20080710.patch:
Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/policy-20080710.patch,v
retrieving revision 1.96
retrieving revision 1.97
diff -u -r1.96 -r1.97
--- policy-20080710.patch 13 Nov 2008 23:48:05 -0000 1.96
+++ policy-20080710.patch 14 Nov 2008 16:08:52 -0000 1.97
@@ -4148,8 +4148,8 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.5.13/policy/modules/apps/nsplugin.fc
--- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.fc 2008-11-11 16:22:03.000000000 -0500
-@@ -0,0 +1,11 @@
++++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.fc 2008-11-14 09:10:32.000000000 -0500
+@@ -0,0 +1,12 @@
+
+/usr/bin/nspluginscan -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
+/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
@@ -4161,6 +4161,7 @@
+HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.config/totem(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
++HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.5.13/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.if 2008-11-11 16:22:03.000000000 -0500
@@ -4996,11 +4997,17 @@
+/var/cache/libvirt(/.*)? -- gen_context(system_u:object_r:qemu_cache_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.5.13/policy/modules/apps/qemu.if
--- nsaserefpolicy/policy/modules/apps/qemu.if 2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/apps/qemu.if 2008-11-11 16:22:03.000000000 -0500
-@@ -48,6 +48,91 @@
++++ serefpolicy-3.5.13/policy/modules/apps/qemu.if 2008-11-14 10:55:17.000000000 -0500
+@@ -46,6 +46,96 @@
+ qemu_domtrans($1)
+ role $2 types qemu_t;
allow qemu_t $3:chr_file rw_file_perms;
- ')
-
++
++ optional_policy(`
++ samba_run_smb(qemu_t, $2, $3)
++ ')
++')
++
+#######################################
+## <summary>
+## The per role template for the qemu module.
@@ -5043,6 +5050,7 @@
+ xserver_common_app($1, qemu_t)
+')
+
++
+#######################################
+## <summary>
+## The per role template for the qemu module.
@@ -5084,12 +5092,10 @@
+
+ domtrans_pattern($2, qemu_exec_t, qemu_t)
+ domtrans_pattern($2, qemu_config_exec_t, qemu_config_t)
-+ ')
-+
+ ')
+
########################################
- ## <summary>
- ## Allow the domain to read state files in /proc.
-@@ -68,6 +153,64 @@
+@@ -68,6 +158,64 @@
########################################
## <summary>
@@ -5154,15 +5160,16 @@
## Send a signal to qemu.
## </summary>
## <param name="domain">
-@@ -104,7 +247,71 @@
+@@ -104,114 +252,194 @@
########################################
## <summary>
-## Execute a domain transition to run qemu unconfined.
+## Execute qemu programs in the qemu domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed to transition.
+## Domain allowed access.
+## </summary>
+## </param>
@@ -5174,35 +5181,50 @@
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the PAM domain to use.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`qemu_domtrans_unconfined',`
+interface(`qemu_runas',`
-+ gen_require(`
+ gen_require(`
+- type qemu_unconfined_t, qemu_exec_t;
+ type qemu_t;
-+ ')
-+
+ ')
+
+- domtrans_pattern($1, qemu_exec_t, qemu_unconfined_t)
+ qemu_domtrans($1)
+ allow qemu_t $3:chr_file rw_file_perms;
-+')
+
-+########################################
-+## <summary>
++ optional_policy(`
++ samba_domtrans_smb(qemu_t)
++ ')
+ ')
+
+ ########################################
+ ## <summary>
+-## Creates types and rules for a basic
+-## qemu process domain.
+## Execute qemu programs in the role.
-+## </summary>
+ ## </summary>
+-## <param name="prefix">
+## <param name="role">
-+## <summary>
+ ## <summary>
+-## Prefix for the domain.
+## The role to allow the PAM domain.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-template(`qemu_domain_template',`
+interface(`qemu_role',`
+ gen_require(`
+ type qemu_t;
+ ')
+ role $1 types qemu_t;
+')
-+
+
+- ##############################
+- #
+- # Local Policy
+########################################
+## <summary>
+## Execute qemu unconfined programs in the role.
@@ -5212,25 +5234,52 @@
+## The role to allow the PAM domain.
+## </summary>
+## </param>
-+#
+ #
+interface(`qemu_unconfined_role',`
+ gen_require(`
+ type qemu_unconfined_t;
+ ')
+ role $1 types qemu_unconfined_t;
+')
-+
-+
+
+- type $1_t;
+- domain_type($1_t)
+-
+- type $1_tmp_t;
+- files_tmp_file($1_tmp_t)
+
+- ##############################
+- #
+- # Local Policy
+########################################
+## <summary>
+## Execute a domain transition to run qemu.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -122,6 +329,36 @@
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
+ #
++interface(`qemu_domtrans_unconfined',`
++ gen_require(`
++ type qemu_unconfined_t, qemu_exec_t;
++ ')
- ########################################
- ## <summary>
+- allow $1_t self:capability { dac_read_search dac_override };
+- allow $1_t self:process { execstack execmem signal getsched };
+- allow $1_t self:fifo_file rw_file_perms;
+- allow $1_t self:shm create_shm_perms;
+- allow $1_t self:unix_stream_socket create_stream_socket_perms;
+- allow $1_t self:tcp_socket create_stream_socket_perms;
++ domtrans_pattern($1, qemu_exec_t, qemu_unconfined_t)
++')
+
+- manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
+- manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
+- files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
++########################################
++## <summary>
+## Execute qemu programs in the qemu unconfined domain.
+## </summary>
+## <param name="domain">
@@ -5253,63 +5302,12 @@
+ gen_require(`
+ type qemu_unconfined_t;
+ ')
-+
+
+- kernel_read_system_state($1_t)
+ qemu_domtrans_unconfined($1)
+ allow qemu_unconfined_t $3:chr_file rw_file_perms;
+')
-+
-+
-+########################################
-+## <summary>
- ## Creates types and rules for a basic
- ## qemu process domain.
- ## </summary>
-@@ -133,85 +370,32 @@
- #
- template(`qemu_domain_template',`
-
-- ##############################
-- #
-- # Local Policy
-- #
-+ gen_require(`
-+ attribute qemutype;
-+ ')
-
-- type $1_t;
-- domain_type($1_t)
-+ type $1_t, qemutype;
-
- type $1_tmp_t;
- files_tmp_file($1_tmp_t)
-
-- ##############################
-- #
-- # Local Policy
-- #
-+ type $1_tmpfs_t;
-+ files_tmpfs_file($1_tmpfs_t)
-
-- allow $1_t self:capability { dac_read_search dac_override };
-- allow $1_t self:process { execstack execmem signal getsched };
-- allow $1_t self:fifo_file rw_file_perms;
-- allow $1_t self:shm create_shm_perms;
-- allow $1_t self:unix_stream_socket create_stream_socket_perms;
-- allow $1_t self:tcp_socket create_stream_socket_perms;
-+ type $1_image_t;
-+ virt_image($1_image_t)
-+
-+ manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
-+ manage_files_pattern($1_t, $1_image_t, $1_image_t)
-+ read_lnk_files_pattern($1_t, $1_image_t, $1_image_t)
-+ rw_blk_files_pattern($1_t, $1_image_t, $1_image_t)
- manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
- manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
- files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
-
-- kernel_read_system_state($1_t)
--
- corenet_all_recvfrom_unlabeled($1_t)
- corenet_all_recvfrom_netlabel($1_t)
- corenet_tcp_sendrecv_all_if($1_t)
@@ -5318,44 +5316,105 @@
- corenet_tcp_bind_all_nodes($1_t)
- corenet_tcp_bind_vnc_port($1_t)
- corenet_rw_tun_tap_dev($1_t)
--
++########################################
++## <summary>
++## Manage qemu temporary dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`qemu_manage_tmp_dirs',`
++ gen_require(`
++ type qemu_tmp_t;
++ ')
+
-# dev_rw_kvm($1_t)
--
++ manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t)
++')
+
- domain_use_interactive_fds($1_t)
--
++########################################
++## <summary>
++## Manage qemu temporary files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`qemu_manage_tmp_files',`
++ gen_require(`
++ type qemu_tmp_t;
++ ')
+
- files_read_etc_files($1_t)
- files_read_usr_files($1_t)
- files_read_var_files($1_t)
- files_search_all($1_t)
--
++ manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
++')
+
- fs_list_inotifyfs($1_t)
- fs_rw_anon_inodefs_files($1_t)
- fs_rw_tmpfs_files($1_t)
--
++########################################
++## <summary>
++## Creates types and rules for a basic
++## qemu process domain.
++## </summary>
++## <param name="prefix">
++## <summary>
++## Prefix for the domain.
++## </summary>
++## </param>
++#
++template(`qemu_domain_template',`
+
- storage_raw_write_removable_device($1_t)
- storage_raw_read_removable_device($1_t)
--
++ gen_require(`
++ attribute qemutype;
++ ')
+
- term_use_ptmx($1_t)
- term_getattr_pty_fs($1_t)
- term_use_generic_ptys($1_t)
--
++ type $1_t, qemutype;
+
- libs_use_ld_so($1_t)
- libs_use_shared_libs($1_t)
--
++ type $1_tmp_t, qemutmpfile;
++ files_tmp_file($1_tmp_t)
+
- miscfiles_read_localization($1_t)
--
++ type $1_tmpfs_t;
++ files_tmpfs_file($1_tmpfs_t)
+
- sysnet_read_config($1_t)
--
++ type $1_image_t;
++ virt_image($1_image_t)
+
-# optional_policy(`
-# samba_domtrans_smb($1_t)
-# ')
--
++ manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
++ manage_files_pattern($1_t, $1_image_t, $1_image_t)
++ read_lnk_files_pattern($1_t, $1_image_t, $1_image_t)
++ rw_blk_files_pattern($1_t, $1_image_t, $1_image_t)
+
- optional_policy(`
- virt_manage_images($1_t)
- virt_read_config($1_t)
- virt_read_lib_files($1_t)
- ')
--
++ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
++ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
++ files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
+
- optional_policy(`
- xserver_stream_connect_xdm_xserver($1_t)
- xserver_read_xdm_tmp_files($1_t)
@@ -5369,17 +5428,18 @@
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.5.13/policy/modules/apps/qemu.te
--- nsaserefpolicy/policy/modules/apps/qemu.te 2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/apps/qemu.te 2008-11-11 16:22:03.000000000 -0500
-@@ -6,6 +6,8 @@
++++ serefpolicy-3.5.13/policy/modules/apps/qemu.te 2008-11-14 10:33:08.000000000 -0500
+@@ -6,6 +6,9 @@
# Declarations
#
+attribute qemutype;
++attribute qemutmpfile;
+
## <desc>
## <p>
## Allow qemu to connect fully to the network
-@@ -13,16 +15,102 @@
+@@ -13,16 +16,102 @@
## </desc>
gen_tunable(qemu_full_network, false)
@@ -5482,7 +5542,7 @@
tunable_policy(`qemu_full_network',`
allow qemu_t self:udp_socket create_socket_perms;
-@@ -35,6 +123,30 @@
+@@ -35,6 +124,26 @@
corenet_tcp_connect_all_ports(qemu_t)
')
@@ -5495,10 +5555,6 @@
+')
+
+optional_policy(`
-+ samba_domtrans_smb(qemu_t)
-+')
-+
-+optional_policy(`
+ virt_manage_images(qemu_t)
+')
+
@@ -5529,8 +5585,8 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.5.13/policy/modules/apps/sambagui.te
--- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.13/policy/modules/apps/sambagui.te 2008-11-11 16:22:03.000000000 -0500
-@@ -0,0 +1,60 @@
++++ serefpolicy-3.5.13/policy/modules/apps/sambagui.te 2008-11-14 10:20:42.000000000 -0500
+@@ -0,0 +1,62 @@
+policy_module(sambagui,1.0.0)
+
+########################################
@@ -5568,6 +5624,8 @@
+
+fs_list_inotifyfs(sambagui_t)
+
++auth_use_nsswitch(sambagui_t)
++
+libs_use_ld_so(sambagui_t)
+libs_use_shared_libs(sambagui_t)
+
@@ -11678,7 +11736,7 @@
# /usr
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.if serefpolicy-3.5.13/policy/modules/services/arpwatch.if
--- nsaserefpolicy/policy/modules/services/arpwatch.if 2008-10-17 08:49:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/arpwatch.if 2008-11-11 16:22:03.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/arpwatch.if 2008-11-14 10:34:29.000000000 -0500
@@ -90,3 +90,45 @@
dontaudit $1 arpwatch_t:packet_socket { read write };
@@ -12534,7 +12592,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.5.13/policy/modules/services/certmaster.te
--- nsaserefpolicy/policy/modules/services/certmaster.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.13/policy/modules/services/certmaster.te 2008-11-11 16:22:03.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/certmaster.te 2008-11-14 08:56:39.000000000 -0500
@@ -0,0 +1,81 @@
+policy_module(certmaster,1.0.0)
+
@@ -12571,7 +12629,7 @@
+#
+# certmaster local policy
+#
-+
++allow certmaster_t self:capability sys_tty_config;
+allow certmaster_t self:tcp_socket create_stream_socket_perms;
+
+# config files
@@ -22708,8 +22766,33 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.5.13/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2008-10-17 08:49:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/samba.if 2008-11-11 16:22:03.000000000 -0500
-@@ -44,6 +44,44 @@
++++ serefpolicy-3.5.13/policy/modules/services/samba.if 2008-11-14 10:57:07.000000000 -0500
+@@ -6,6 +6,24 @@
+
+ #######################################
+ ## <summary>
++## The role for the samba module.
++## </summary>
++## <param name="role">
++## <summary>
++## The role to be allowed the samba_net domain.
++## </summary>
++## </param>
++#
++template(`samba_role_notrans',`
++ gen_require(`
++ type smbd_t;
++ ')
++
++ role $1 types smbd_t;
++')
++
++#######################################
++## <summary>
+ ## The per role template for the samba module.
+ ## </summary>
+ ## <desc>
+@@ -44,6 +62,44 @@
########################################
## <summary>
@@ -22754,7 +22837,7 @@
## Execute samba net in the samba_net domain.
## </summary>
## <param name="domain">
-@@ -63,6 +101,25 @@
+@@ -63,6 +119,25 @@
########################################
## <summary>
@@ -22780,10 +22863,42 @@
## Execute samba net in the samba_net domain, and
## allow the specified role the samba_net domain.
## </summary>
-@@ -95,6 +152,38 @@
+@@ -95,6 +170,70 @@
########################################
## <summary>
++## Execute smbd in the smbd domain, and
++## allow the specified role the smbd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the samba_smb domain.
++## </summary>
++## </param>
++## <param name="terminal">
++## <summary>
++## The type of the terminal allow the samba_smb domain to use.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`samba_run_smb',`
++ gen_require(`
++ type smbd_t;
++ ')
++
++ samba_domtrans_smb($1)
++ role $2 types smbd_t;
++ allow smbd_t $3:chr_file rw_term_perms;
++')
++
++########################################
++## <summary>
+## Execute samba net in the samba_unconfined_net domain, and
+## allow the specified role the samba_unconfined_net domain.
+## </summary>
@@ -22819,7 +22934,7 @@
## Execute smbmount in the smbmount domain.
## </summary>
## <param name="domain">
-@@ -188,6 +277,28 @@
+@@ -188,6 +327,28 @@
########################################
## <summary>
@@ -22848,7 +22963,7 @@
## Allow the specified domain to read samba's log files.
## </summary>
## <param name="domain">
-@@ -331,6 +442,25 @@
+@@ -331,6 +492,25 @@
########################################
## <summary>
@@ -22874,7 +22989,7 @@
## Allow the specified domain to
## read and write samba /var files.
## </summary>
-@@ -348,6 +478,7 @@
+@@ -348,6 +528,7 @@
files_search_var($1)
files_search_var_lib($1)
manage_files_pattern($1, samba_var_t, samba_var_t)
@@ -22882,7 +22997,7 @@
')
########################################
-@@ -420,6 +551,7 @@
+@@ -420,6 +601,7 @@
')
domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
@@ -22890,7 +23005,7 @@
')
########################################
-@@ -503,3 +635,208 @@
+@@ -503,3 +685,208 @@
stream_connect_pattern($1, winbind_tmp_t, winbind_tmp_t, winbind_t)
')
')
@@ -23101,7 +23216,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.5.13/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/samba.te 2008-11-11 16:22:03.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/samba.te 2008-11-14 10:37:14.000000000 -0500
@@ -66,6 +66,13 @@
## </desc>
gen_tunable(samba_share_nfs, false)
@@ -23284,7 +23399,19 @@
')
optional_policy(`
-@@ -379,8 +420,10 @@
+@@ -360,6 +401,11 @@
+ ')
+
+ optional_policy(`
++ qemu_manage_tmp_dirs(smbd_t)
++ qemu_manage_tmp_files(smbd_t)
++')
++
++optional_policy(`
+ rpc_search_nfs_state_data(smbd_t)
+ ')
+
+@@ -379,8 +425,10 @@
tunable_policy(`samba_export_all_ro',`
fs_read_noxattr_fs_files(smbd_t)
@@ -23295,7 +23422,7 @@
auth_read_all_files_except_shadow(nmbd_t)
')
-@@ -452,6 +495,7 @@
+@@ -452,6 +500,7 @@
dev_getattr_mtrr_dev(nmbd_t)
fs_getattr_all_fs(nmbd_t)
@@ -23303,7 +23430,7 @@
fs_search_auto_mountpoints(nmbd_t)
domain_use_interactive_fds(nmbd_t)
-@@ -536,6 +580,7 @@
+@@ -536,6 +585,7 @@
storage_raw_write_fixed_disk(smbmount_t)
term_list_ptys(smbmount_t)
@@ -23311,7 +23438,7 @@
corecmd_list_bin(smbmount_t)
-@@ -547,32 +592,46 @@
+@@ -547,32 +597,46 @@
auth_use_nsswitch(smbmount_t)
@@ -23364,7 +23491,7 @@
rw_files_pattern(swat_t, samba_etc_t, samba_etc_t)
-@@ -592,6 +651,9 @@
+@@ -592,6 +656,9 @@
files_pid_filetrans(swat_t, swat_var_run_t, file)
allow swat_t winbind_exec_t:file mmap_file_perms;
@@ -23374,7 +23501,7 @@
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -616,10 +678,12 @@
+@@ -616,10 +683,12 @@
dev_read_urand(swat_t)
@@ -23387,7 +23514,7 @@
auth_domtrans_chk_passwd(swat_t)
auth_use_nsswitch(swat_t)
-@@ -628,6 +692,7 @@
+@@ -628,6 +697,7 @@
libs_use_shared_libs(swat_t)
logging_send_syslog_msg(swat_t)
@@ -23395,7 +23522,7 @@
logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
-@@ -645,6 +710,17 @@
+@@ -645,6 +715,17 @@
kerberos_use(swat_t)
')
@@ -23413,7 +23540,7 @@
########################################
#
# Winbind local policy
-@@ -694,6 +770,8 @@
+@@ -694,6 +775,8 @@
manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
files_pid_filetrans(winbind_t, winbind_var_run_t, file)
@@ -23422,7 +23549,7 @@
kernel_read_kernel_sysctls(winbind_t)
kernel_list_proc(winbind_t)
kernel_read_proc_symlinks(winbind_t)
-@@ -780,8 +858,13 @@
+@@ -780,8 +863,13 @@
miscfiles_read_localization(winbind_helper_t)
optional_policy(`
@@ -23436,7 +23563,7 @@
')
########################################
-@@ -790,6 +873,16 @@
+@@ -790,6 +878,16 @@
#
optional_policy(`
@@ -23453,7 +23580,7 @@
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -800,9 +893,46 @@
+@@ -800,9 +898,46 @@
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -31884,7 +32011,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.5.13/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/unconfined.te 2008-11-11 16:22:03.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/system/unconfined.te 2008-11-14 10:57:44.000000000 -0500
@@ -6,35 +6,76 @@
# Declarations
#
@@ -32092,7 +32219,7 @@
')
optional_policy(`
-@@ -159,43 +219,48 @@
+@@ -159,43 +219,49 @@
')
optional_policy(`
@@ -32140,6 +32267,7 @@
optional_policy(`
samba_per_role_template(unconfined)
- samba_run_net(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ samba_role_notrans(unconfined_r)
+ samba_run_unconfined_net(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
samba_run_winbind_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ samba_run_smbcontrol(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
@@ -32157,7 +32285,7 @@
')
optional_policy(`
-@@ -203,7 +268,7 @@
+@@ -203,7 +269,7 @@
')
optional_policy(`
@@ -32166,7 +32294,7 @@
')
optional_policy(`
-@@ -215,11 +280,12 @@
+@@ -215,11 +281,12 @@
')
optional_policy(`
@@ -32181,7 +32309,7 @@
')
########################################
-@@ -229,14 +295,58 @@
+@@ -229,14 +296,58 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/selinux-policy.spec,v
retrieving revision 1.748
retrieving revision 1.749
diff -u -r1.748 -r1.749
--- selinux-policy.spec 11 Nov 2008 14:58:49 -0000 1.748
+++ selinux-policy.spec 14 Nov 2008 16:08:52 -0000 1.749
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.5.13
-Release: 20%{?dist}
+Release: 21%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -457,6 +457,9 @@
%endif
%changelog
+* Fri Nov 14 2008 Dan Walsh <dwalsh at redhat.com> 3.5.13-21
+- Allow sambagui to use nsswitch
+
* Mon Nov 10 2008 Dan Walsh <dwalsh at redhat.com> 3.5.13-20
- Change default boolean settings for xguest
- Allow mount to r/w image files
More information about the scm-commits
mailing list