rpms/selinux-policy/devel policy-20080710.patch, 1.52, 1.53 selinux-policy.spec, 1.716, 1.717
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Oct 3 15:07:41 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv21286
Modified Files:
policy-20080710.patch selinux-policy.spec
Log Message:
- Allow domains to search other domains keys, coverup kernel bug
policy-20080710.patch:
Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20080710.patch,v
retrieving revision 1.52
retrieving revision 1.53
diff -u -r1.52 -r1.53
--- policy-20080710.patch 1 Oct 2008 19:15:33 -0000 1.52
+++ policy-20080710.patch 3 Oct 2008 15:07:40 -0000 1.53
@@ -6691,7 +6691,7 @@
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.5.9/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2008-08-07 11:15:01.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/kernel/devices.if 2008-09-25 08:33:18.000000000 -0400
++++ serefpolicy-3.5.9/policy/modules/kernel/devices.if 2008-10-01 16:12:47.000000000 -0400
@@ -65,7 +65,7 @@
relabelfrom_dirs_pattern($1, device_t, device_node)
@@ -8448,6 +8448,21 @@
/dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.5.9/policy/modules/kernel/terminal.if
+--- nsaserefpolicy/policy/modules/kernel/terminal.if 2008-08-07 11:15:01.000000000 -0400
++++ serefpolicy-3.5.9/policy/modules/kernel/terminal.if 2008-10-02 09:16:08.000000000 -0400
+@@ -250,9 +250,11 @@
+ interface(`term_dontaudit_use_console',`
+ gen_require(`
+ type console_device_t;
++ type tty_device_t;
+ ')
+
+ dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
++ dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
+ ')
+
+ ########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.fc serefpolicy-3.5.9/policy/modules/roles/guest.fc
--- nsaserefpolicy/policy/modules/roles/guest.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.9/policy/modules/roles/guest.fc 2008-09-25 08:33:18.000000000 -0400
@@ -12154,6 +12169,18 @@
+ files_list_pids($1)
+ admin_pattern($1, named_var_run_t)
')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.5.9/policy/modules/services/bind.te
+--- nsaserefpolicy/policy/modules/services/bind.te 2008-09-24 09:07:28.000000000 -0400
++++ serefpolicy-3.5.9/policy/modules/services/bind.te 2008-10-02 09:17:54.000000000 -0400
+@@ -249,6 +249,8 @@
+ sysnet_read_config(ndc_t)
+ sysnet_dns_name_resolve(ndc_t)
+
++term_dontaudit_use_console(ndc_t)
++
+ # for /etc/rndc.key
+ ifdef(`distro_redhat',`
+ allow ndc_t named_conf_t:dir search;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.fc serefpolicy-3.5.9/policy/modules/services/bitlbee.fc
--- nsaserefpolicy/policy/modules/services/bitlbee.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/services/bitlbee.fc 2008-09-25 08:33:18.000000000 -0400
@@ -21324,7 +21351,7 @@
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.5.9/policy/modules/services/prelude.te
--- nsaserefpolicy/policy/modules/services/prelude.te 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/services/prelude.te 2008-09-25 08:33:18.000000000 -0400
++++ serefpolicy-3.5.9/policy/modules/services/prelude.te 2008-10-02 09:12:58.000000000 -0400
@@ -13,18 +13,50 @@
type prelude_spool_t;
files_type(prelude_spool_t)
@@ -21418,7 +21445,7 @@
dev_read_rand(prelude_audisp_t)
dev_read_urand(prelude_audisp_t)
-@@ -117,15 +161,129 @@
+@@ -117,15 +161,134 @@
# Init script handling
domain_use_interactive_fds(prelude_audisp_t)
@@ -21445,6 +21472,7 @@
+allow prelude_correlator_t self:tcp_socket create_stream_socket_perms;
+allow prelude_correlator_t self:unix_dgram_socket create_socket_perms;
+
++allow prelude_correlator_t prelude_correlator_config_t:dir list_dir_perms;
+read_files_pattern(prelude_correlator_t, prelude_correlator_config_t, prelude_correlator_config_t)
+
+prelude_manage_spool(prelude_correlator_t)
@@ -21464,6 +21492,8 @@
+files_read_usr_files(prelude_correlator_t)
+files_search_spool(prelude_correlator_t)
+
++kernel_read_sysctl(prelude_correlator_t)
++
+libs_use_ld_so(prelude_correlator_t)
+libs_use_shared_libs(prelude_correlator_t)
+
@@ -21504,7 +21534,7 @@
+manage_files_pattern(prelude_lml_t, prelude_lml_var_run_t, prelude_lml_var_run_t)
+files_pid_filetrans(prelude_lml_t, prelude_lml_var_run_t, file)
+
-+corecmd_search_bin(prelude_lml_t)
++corecmd_exec_bin(prelude_lml_t)
+
+corenet_tcp_sendrecv_generic_if(prelude_lml_t)
+corenet_tcp_sendrecv_all_nodes(prelude_lml_t)
@@ -21526,6 +21556,8 @@
+
+fs_list_inotifyfs(prelude_lml_t)
+
++kernel_read_sysctl(prelude_lml_t)
++
+auth_use_nsswitch(prelude_lml_t)
+
+libs_use_ld_so(prelude_lml_t)
@@ -21548,7 +21580,7 @@
########################################
#
# prewikka_cgi Declarations
-@@ -134,6 +292,17 @@
+@@ -134,6 +297,17 @@
optional_policy(`
apache_content_template(prewikka)
files_read_etc_files(httpd_prewikka_script_t)
@@ -28122,6 +28154,109 @@
kernel_read_kernel_sysctls(zebra_t)
kernel_rw_net_sysctls(zebra_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.fc serefpolicy-3.5.9/policy/modules/services/zosremote.fc
+--- nsaserefpolicy/policy/modules/services/zosremote.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.9/policy/modules/services/zosremote.fc 2008-10-02 09:31:06.000000000 -0400
+@@ -0,0 +1,2 @@
++
++/sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.if serefpolicy-3.5.9/policy/modules/services/zosremote.if
+--- nsaserefpolicy/policy/modules/services/zosremote.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.9/policy/modules/services/zosremote.if 2008-10-02 09:36:13.000000000 -0400
+@@ -0,0 +1,52 @@
++## <summary>policy for z/OS Remote-services Audit dispatcher plugin</summary>
++
++########################################
++## <summary>
++## Execute a domain transition to run audispd-zos-remote.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`zos_remote_domtrans',`
++ gen_require(`
++ type zos_remote_t;
++ type zos_remote_exec_t;
++ ')
++
++ domtrans_pattern($1, zos_remote_exec_t, zos_remote_t);
++')
++
++########################################
++## <summary>
++## Allow specified type and role to transition and
++## run in the zos_remote_t domain. Allow specified type
++## to use zos_remote_t terminal.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the zos_remote domain.
++## </summary>
++## </param>
++## <param name="terminal">
++## <summary>
++## The type of the role's terminal.
++## </summary>
++## </param>
++#
++interface(`zos_remote_run',`
++ gen_require(`
++ type zos_remote_t;
++ ')
++
++ zos_remote_domtrans($1)
++ role $2 types zos_remote_t;
++ dontaudit zos_remote_t $3:chr_file rw_term_perms;
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.te serefpolicy-3.5.9/policy/modules/services/zosremote.te
+--- nsaserefpolicy/policy/modules/services/zosremote.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.9/policy/modules/services/zosremote.te 2008-10-02 09:57:33.000000000 -0400
+@@ -0,0 +1,37 @@
++policy_module(zosremote,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type zos_remote_t;
++type zos_remote_exec_t;
++logging_dispater_domain(zos_remote_t, zos_remote_exec_t)
++
++## use below for RHEL5 series:
++init_system_domain(zos_remote_t, zos_remote_exec_t)
++
++role system_r types zos_remote_t;
++
++
++########################################
++#
++# zos_remote local policy
++#
++
++allow zos_remote_t self:fifo_file rw_file_perms;
++allow zos_remote_t self:unix_stream_socket create_stream_socket_perms;
++
++allow zos_remote_t self:process signal;
++
++files_read_etc_files(zos_remote_t)
++
++auth_use_nsswitch(zos_remote_t);
++
++libs_use_ld_so(zos_remote_t)
++libs_use_shared_libs(zos_remote_t)
++
++miscfiles_read_localization(zos_remote_t)
++
++logging_send_syslog_msg(zos_remote_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.5.9/policy/modules/system/application.te
--- nsaserefpolicy/policy/modules/system/application.te 2008-08-07 11:15:12.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/system/application.te 2008-09-25 08:33:18.000000000 -0400
@@ -28800,7 +28935,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.5.9/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2008-09-24 09:07:28.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/system/init.te 2008-09-25 08:33:18.000000000 -0400
++++ serefpolicy-3.5.9/policy/modules/system/init.te 2008-10-02 09:08:34.000000000 -0400
@@ -17,6 +17,20 @@
## </desc>
gen_tunable(init_upstart,false)
@@ -28990,7 +29125,7 @@
squid_manage_logs(initrc_t)
')
-+ifndef(`targeted_policy',`
++ifdef(`enabled_mls',`
optional_policy(`
# allow init scripts to su
su_restricted_domain_template(initrc,initrc_t,system_r)
@@ -30962,7 +31097,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.5.9/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2008-08-11 11:23:34.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/system/sysnetwork.te 2008-10-01 08:16:34.000000000 -0400
++++ serefpolicy-3.5.9/policy/modules/system/sysnetwork.te 2008-10-02 09:17:09.000000000 -0400
@@ -20,6 +20,9 @@
init_daemon_domain(dhcpc_t,dhcpc_exec_t)
role system_r types dhcpc_t;
@@ -31102,12 +31237,13 @@
corenet_rw_tun_tap_dev(ifconfig_t)
-@@ -279,8 +291,12 @@
+@@ -279,8 +291,13 @@
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
+selinux_dontaudit_getattr_fs(ifconfig_t)
+
++term_dontaudit_use_console(ifconfig_t)
term_dontaudit_use_all_user_ttys(ifconfig_t)
term_dontaudit_use_all_user_ptys(ifconfig_t)
+term_dontaudit_use_ptmx(ifconfig_t)
@@ -31115,7 +31251,7 @@
domain_use_interactive_fds(ifconfig_t)
-@@ -336,6 +352,14 @@
+@@ -336,6 +353,14 @@
')
optional_policy(`
@@ -31972,7 +32108,7 @@
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.9/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-08-07 11:15:12.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/system/userdomain.if 2008-09-29 10:56:25.000000000 -0400
++++ serefpolicy-3.5.9/policy/modules/system/userdomain.if 2008-10-01 16:13:30.000000000 -0400
@@ -28,10 +28,14 @@
class context contains;
')
@@ -32543,7 +32679,7 @@
# GNOME checks for usb and other devices:
- dev_rw_usbfs($1_t)
+ dev_rw_usbfs($1_usertype)
-+ dev_read_generic_usb_dev($1_usertype)
++ dev_rw_generic_usb_dev($1_usertype)
- xserver_user_client_template($1,$1_t,$1_tmpfs_t)
- xserver_xsession_entry_type($1_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.716
retrieving revision 1.717
diff -u -r1.716 -r1.717
--- selinux-policy.spec 1 Oct 2008 19:15:34 -0000 1.716
+++ selinux-policy.spec 3 Oct 2008 15:07:40 -0000 1.717
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.5.9
-Release: 4%{?dist}
+Release: 5%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -390,6 +390,9 @@
%endif
%changelog
+* Wed Oct 1 2008 Dan Walsh <dwalsh at redhat.com> 3.5.9-5
+- Allow domains to search other domains keys, coverup kernel bug
+
* Wed Oct 1 2008 Dan Walsh <dwalsh at redhat.com> 3.5.9-4
- Fix labeling for oracle
More information about the scm-commits
mailing list