rpms/selinux-policy/devel policy-20080710.patch,1.62,1.63
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Oct 15 01:37:38 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv27908
Modified Files:
policy-20080710.patch
Log Message:
* Fri Oct 10 2008 Dan Walsh <dwalsh at redhat.com> 3.5.12-1
- Update to upstream
policy-20080710.patch:
Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20080710.patch,v
retrieving revision 1.62
retrieving revision 1.63
diff -u -r1.62 -r1.63
--- policy-20080710.patch 14 Oct 2008 23:33:37 -0000 1.62
+++ policy-20080710.patch 15 Oct 2008 01:37:04 -0000 1.63
@@ -21454,7 +21454,7 @@
rpm_use_script_fds(setroubleshootd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.5.12/policy/modules/services/smartmon.te
--- nsaserefpolicy/policy/modules/services/smartmon.te 2008-10-14 11:58:09.000000000 -0400
-+++ serefpolicy-3.5.12/policy/modules/services/smartmon.te 2008-10-14 15:00:15.000000000 -0400
++++ serefpolicy-3.5.12/policy/modules/services/smartmon.te 2008-10-14 21:15:21.000000000 -0400
@@ -19,6 +19,10 @@
type fsdaemon_tmp_t;
files_tmp_file(fsdaemon_tmp_t)
@@ -21479,7 +21479,7 @@
corenet_udp_sendrecv_all_nodes(fsdaemon_t)
corenet_udp_sendrecv_all_ports(fsdaemon_t)
-+dev_del_generic_dirs(fsdaemon_t)
++dev_delete_generic_dirs(fsdaemon_t)
dev_read_sysfs(fsdaemon_t)
dev_read_urand(fsdaemon_t)
@@ -22982,7 +22982,7 @@
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.5.12/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2008-10-14 11:58:09.000000000 -0400
-+++ serefpolicy-3.5.12/policy/modules/services/virt.if 2008-10-14 15:00:15.000000000 -0400
++++ serefpolicy-3.5.12/policy/modules/services/virt.if 2008-10-14 21:22:03.000000000 -0400
@@ -78,6 +78,24 @@
########################################
@@ -23072,19 +23072,29 @@
virt_manage_lib_files($1)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.5.12/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.12/policy/modules/services/virt.te 2008-10-14 15:00:15.000000000 -0400
-@@ -28,9 +28,7 @@
++++ serefpolicy-3.5.12/policy/modules/services/virt.te 2008-10-14 21:22:40.000000000 -0400
+@@ -5,6 +5,7 @@
+ #
+ # Declarations
+ #
++attribute virt_image_type;
+
+ ## <desc>
+ ## <p>
+@@ -27,10 +28,8 @@
+ files_type(virt_etc_rw_t)
# virt Image files
- type virt_image_t; # customizable
+-type virt_image_t; # customizable
-files_type(virt_image_t)
-# virt_image_t can be assigned to blk devices
-dev_node(virt_image_t)
++type virt_image_t, virt_image_type; # customizable
+virt_image(virt_image_t)
type virt_log_t;
logging_log_file(virt_log_t)
-@@ -45,6 +43,9 @@
+@@ -45,6 +44,9 @@
type virtd_exec_t;
init_daemon_domain(virtd_t, virtd_exec_t)
@@ -23094,7 +23104,7 @@
########################################
#
# virtd local policy
-@@ -49,9 +50,8 @@
+@@ -49,9 +51,8 @@
#
# virtd local policy
#
@@ -23105,7 +23115,7 @@
allow virtd_t self:fifo_file rw_file_perms;
allow virtd_t self:unix_stream_socket create_stream_socket_perms;
allow virtd_t self:tcp_socket create_stream_socket_perms;
-@@ -64,7 +64,7 @@
+@@ -64,7 +65,7 @@
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -23114,7 +23124,7 @@
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -82,6 +82,8 @@
+@@ -82,6 +83,8 @@
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
@@ -23123,7 +23133,7 @@
kernel_load_module(virtd_t)
corecmd_exec_bin(virtd_t)
-@@ -93,7 +95,7 @@
+@@ -93,7 +96,7 @@
corenet_tcp_sendrecv_all_nodes(virtd_t)
corenet_tcp_sendrecv_all_ports(virtd_t)
corenet_tcp_bind_all_nodes(virtd_t)
@@ -23132,7 +23142,7 @@
corenet_tcp_bind_vnc_port(virtd_t)
corenet_tcp_connect_vnc_port(virtd_t)
corenet_tcp_connect_soundd_port(virtd_t)
-@@ -107,8 +109,10 @@
+@@ -107,8 +110,10 @@
files_read_usr_files(virtd_t)
files_read_etc_files(virtd_t)
@@ -23143,7 +23153,7 @@
fs_list_auto_mountpoints(virtd_t)
-@@ -162,26 +166,27 @@
+@@ -162,26 +167,27 @@
')
')
@@ -23180,7 +23190,7 @@
')
optional_policy(`
-@@ -189,9 +194,10 @@
+@@ -189,9 +195,10 @@
')
optional_policy(`
@@ -23294,7 +23304,7 @@
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.12/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2008-10-08 19:00:27.000000000 -0400
-+++ serefpolicy-3.5.12/policy/modules/services/xserver.if 2008-10-14 15:02:15.000000000 -0400
++++ serefpolicy-3.5.12/policy/modules/services/xserver.if 2008-10-14 21:00:40.000000000 -0400
@@ -16,6 +16,7 @@
gen_require(`
type xkb_var_lib_t, xserver_exec_t, xserver_log_t;
@@ -23618,7 +23628,7 @@
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
-@@ -649,13 +571,212 @@
+@@ -649,13 +571,213 @@
xserver_read_xdm_tmp_files($2)
@@ -23780,6 +23790,7 @@
+ type clipboard_xselection_t;
+ type xproperty_t, focus_xevent_t, info_xproperty_t, manage_xevent_t;
+ type manage_xevent_t, output_xext_t, property_xevent_t;
++ type debug_xext_t, screensaver_xext_t;
+ type shmem_xext_t, xselection_t;
+ attribute xevent_type, xextension_type;
+ ')
@@ -23835,7 +23846,7 @@
#######################################
## <summary>
## Interface to provide X object permissions on a given X server to
-@@ -682,7 +803,7 @@
+@@ -682,7 +804,7 @@
#
template(`xserver_common_x_domain_template',`
gen_require(`
@@ -23844,7 +23855,7 @@
type xproperty_t, info_xproperty_t, clipboard_xproperty_t;
type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t;
type xevent_t, client_xevent_t;
-@@ -691,7 +812,6 @@
+@@ -691,7 +813,6 @@
attribute x_server_domain, x_domain;
attribute xproperty_type;
attribute xevent_type, xextension_type;
@@ -23852,7 +23863,7 @@
class x_drawable all_x_drawable_perms;
class x_screen all_x_screen_perms;
-@@ -708,6 +828,7 @@
+@@ -708,6 +829,7 @@
class x_resource all_x_resource_perms;
class x_event all_x_event_perms;
class x_synthetic_event all_x_synthetic_event_perms;
@@ -23860,7 +23871,7 @@
')
##############################
-@@ -715,20 +836,22 @@
+@@ -715,20 +837,22 @@
# Declarations
#
@@ -23886,7 +23897,7 @@
##############################
#
# Local Policy
-@@ -746,7 +869,7 @@
+@@ -746,7 +870,7 @@
allow $3 x_server_domain:x_server getattr;
# everyone can do override-redirect windows.
# this could be used to spoof labels
@@ -23895,7 +23906,7 @@
# everyone can receive management events on the root window
# allows to know when new windows appear, among other things
allow $3 manage_xevent_t:x_event receive;
-@@ -755,36 +878,30 @@
+@@ -755,36 +879,30 @@
# can read server-owned resources
allow $3 x_server_domain:x_resource read;
# can mess with own clients
@@ -23942,7 +23953,7 @@
# X Input
# can receive own events
-@@ -811,6 +928,12 @@
+@@ -811,6 +929,12 @@
allow $3 manage_xevent_t:x_synthetic_event send;
allow $3 client_xevent_t:x_synthetic_event send;
@@ -23955,7 +23966,7 @@
# X Selections
# can use the clipboard
allow $3 clipboard_xselection_t:x_selection { getattr setattr read };
-@@ -819,13 +942,15 @@
+@@ -819,13 +943,15 @@
# Other X Objects
# can create and use cursors
@@ -23975,7 +23986,7 @@
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined($3),
-@@ -885,24 +1010,17 @@
+@@ -885,24 +1011,17 @@
#
template(`xserver_user_x_domain_template',`
gen_require(`
@@ -24007,7 +24018,7 @@
# Allow connections to X server.
files_search_tmp($3)
-@@ -917,16 +1035,12 @@
+@@ -917,16 +1036,12 @@
xserver_rw_session_template($1, $3, $4)
xserver_use_user_fonts($1, $3)
@@ -24027,7 +24038,7 @@
')
########################################
-@@ -958,26 +1072,43 @@
+@@ -958,26 +1073,43 @@
#
template(`xserver_use_user_fonts',`
gen_require(`
@@ -24078,7 +24089,7 @@
## Transition to a user Xauthority domain.
## </summary>
## <desc>
-@@ -1003,10 +1134,77 @@
+@@ -1003,10 +1135,77 @@
#
template(`xserver_domtrans_user_xauth',`
gen_require(`
@@ -24158,7 +24169,7 @@
')
########################################
-@@ -1036,10 +1234,10 @@
+@@ -1036,10 +1235,10 @@
#
template(`xserver_user_home_dir_filetrans_user_xauth',`
gen_require(`
@@ -24171,7 +24182,7 @@
')
########################################
-@@ -1225,6 +1423,25 @@
+@@ -1225,6 +1424,25 @@
########################################
## <summary>
@@ -24197,7 +24208,7 @@
## Read xdm-writable configuration files.
## </summary>
## <param name="domain">
-@@ -1279,6 +1496,7 @@
+@@ -1279,6 +1497,7 @@
files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
@@ -24205,7 +24216,7 @@
')
########################################
-@@ -1297,7 +1515,7 @@
+@@ -1297,7 +1516,7 @@
')
files_search_pids($1)
@@ -24214,7 +24225,7 @@
')
########################################
-@@ -1320,6 +1538,24 @@
+@@ -1320,6 +1539,24 @@
########################################
## <summary>
@@ -24239,7 +24250,7 @@
## Execute the X server in the XDM X server domain.
## </summary>
## <param name="domain">
-@@ -1330,15 +1566,47 @@
+@@ -1330,15 +1567,47 @@
#
interface(`xserver_domtrans_xdm_xserver',`
gen_require(`
@@ -24288,7 +24299,7 @@
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -1488,7 +1756,7 @@
+@@ -1488,7 +1757,7 @@
type xdm_xserver_tmp_t;
')
@@ -24297,7 +24308,7 @@
')
########################################
-@@ -1680,6 +1948,26 @@
+@@ -1680,6 +1949,26 @@
########################################
## <summary>
@@ -24324,7 +24335,7 @@
## xdm xserver RW shared memory socket.
## </summary>
## <param name="domain">
-@@ -1698,6 +1986,24 @@
+@@ -1698,6 +1987,24 @@
########################################
## <summary>
@@ -24349,7 +24360,7 @@
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain complete control over the
## display.
-@@ -1710,8 +2016,157 @@
+@@ -1710,8 +2017,157 @@
#
interface(`xserver_unconfined',`
gen_require(`
More information about the scm-commits
mailing list