rpms/selinux-policy/devel policy-20080710.patch, 1.75, 1.76 selinux-policy.spec, 1.733, 1.734

Daniel J Walsh dwalsh at fedoraproject.org
Sat Oct 25 11:14:57 UTC 2008 

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv22368

Modified Files:
	policy-20080710.patch selinux-policy.spec 
Log Message:
* Fri Oct 24 2008 Dan Walsh <dwalsh at redhat.com> 3.5.13-8
- Allow mozilla to run with unconfined_execmem_t


policy-20080710.patch:

Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20080710.patch,v
retrieving revision 1.75
retrieving revision 1.76
diff -u -r1.75 -r1.76
--- policy-20080710.patch	24 Oct 2008 13:41:09 -0000	1.75
+++ policy-20080710.patch	25 Oct 2008 11:14:55 -0000	1.76
@@ -11824,7 +11824,7 @@
  	allow ndc_t named_conf_t:dir search;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.fc serefpolicy-3.5.13/policy/modules/services/bluetooth.fc
 --- nsaserefpolicy/policy/modules/services/bluetooth.fc	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/bluetooth.fc	2008-10-17 10:31:27.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/bluetooth.fc	2008-10-25 07:10:51.000000000 -0400
 @@ -3,6 +3,9 @@
  #
  /etc/bluetooth(/.*)?		gen_context(system_u:object_r:bluetooth_conf_t,s0)
@@ -11835,7 +11835,14 @@
  
  #
  # /usr
-@@ -22,3 +25,4 @@
+@@ -16,9 +19,11 @@
+ /usr/sbin/hcid		--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
+ /usr/sbin/hid2hci	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
+ /usr/sbin/sdpd		--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
++/usr/sbin/bluetoothd	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
+ 
+ #
+ # /var
  #
  /var/lib/bluetooth(/.*)?	gen_context(system_u:object_r:bluetooth_var_lib_t,s0)
  /var/run/sdp		-s	gen_context(system_u:object_r:bluetooth_var_run_t,s0)
@@ -14517,8 +14524,8 @@
  /var/run/dnsmasq\.pid		--	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.5.13/policy/modules/services/dnsmasq.if
 --- nsaserefpolicy/policy/modules/services/dnsmasq.if	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/dnsmasq.if	2008-10-23 17:21:21.000000000 -0400
-@@ -1 +1,156 @@
++++ serefpolicy-3.5.13/policy/modules/services/dnsmasq.if	2008-10-24 11:31:46.000000000 -0400
+@@ -1 +1,175 @@
  ## <summary>dnsmasq DNS forwarder and DHCP server</summary>
 +
 +########################################
@@ -14621,7 +14628,7 @@
 +
 +########################################
 +## <summary>
-+##	Send dnsmasq a sigkill
++##	Delete dnsmasq pid files
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -14640,6 +14647,25 @@
 +
 +########################################
 +## <summary>
++##	Read dnsmasq pid files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++#
++interface(`dnsmasq_read_pid_files',`
++	gen_require(`
++		type dnsmasq_var_run_t;
++	')
++
++	read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
++')
++
++########################################
++## <summary>
 +##	All of the rules required to administrate 
 +##	an dnsmasq environment
 +## </summary>
@@ -16978,13 +17004,13 @@
  ## <param name="domain">
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.5.13/policy/modules/services/networkmanager.te
 --- nsaserefpolicy/policy/modules/services/networkmanager.te	2008-10-14 11:58:09.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/networkmanager.te	2008-10-23 16:47:42.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/networkmanager.te	2008-10-24 11:33:18.000000000 -0400
 @@ -33,9 +33,9 @@
  
  # networkmanager will ptrace itself if gdb is installed
  # and it receives a unexpected signal (rh bug #204161) 
 -allow NetworkManager_t self:capability { kill setgid setuid dac_override net_admin net_raw net_bind_service ipc_lock };
-+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
++allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock };
  dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
 -allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms };
 +allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
@@ -17085,7 +17111,7 @@
  ')
  
  optional_policy(`
-@@ -151,8 +173,20 @@
+@@ -151,8 +173,21 @@
  ')
  
  optional_policy(`
@@ -17095,6 +17121,7 @@
 +')
 +
 +optional_policy(`
++	dnsmasq_read_pid_files(NetworkManager_t)
 +	dnsmasq_delete_pid_files(NetworkManager_t)
 +	dnsmasq_domtrans(NetworkManager_t)
 +	dnsmasq_initrc_domtrans(NetworkManager_t)
@@ -17108,7 +17135,7 @@
  ')
  
  optional_policy(`
-@@ -160,23 +194,48 @@
+@@ -160,23 +195,48 @@
  ')
  
  optional_policy(`
@@ -17159,7 +17186,7 @@
  ')
  
  optional_policy(`
-@@ -194,7 +253,9 @@
+@@ -194,7 +254,9 @@
  
  optional_policy(`
  	vpn_domtrans(NetworkManager_t)
@@ -29617,7 +29644,7 @@
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.5.13/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2008-10-14 11:58:09.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/unconfined.te	2008-10-23 10:34:43.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/system/unconfined.te	2008-10-24 10:26:04.000000000 -0400
 @@ -6,35 +6,76 @@
  # Declarations
  #
@@ -29702,7 +29729,7 @@
  
  libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
  
-@@ -42,28 +83,37 @@
+@@ -42,28 +83,39 @@
  logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
  
  mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
@@ -29721,6 +29748,8 @@
 +optional_policy(`
 +	nsplugin_per_role_template_notrans(unconfined, unconfined_t, unconfined_r)
 +	tunable_policy(`allow_unconfined_nsplugin_transition',`
++	      nsplugin_domtrans_user(unconfined, unconfined_execmem_t)
++	      nsplugin_domtrans_user_config(unconfined, unconfined_execmem_t)
 +	      nsplugin_domtrans_user(unconfined, unconfined_t)
 +	      nsplugin_domtrans_user_config(unconfined, unconfined_t)
 +	')
@@ -29744,7 +29773,7 @@
  ')
  
  optional_policy(`
-@@ -75,12 +125,6 @@
+@@ -75,12 +127,6 @@
  ')
  
  optional_policy(`
@@ -29757,7 +29786,7 @@
  	init_dbus_chat_script(unconfined_t)
  
  	dbus_stub(unconfined_t)
-@@ -106,12 +150,24 @@
+@@ -106,12 +152,24 @@
  	')
  
  	optional_policy(`
@@ -29782,7 +29811,7 @@
  ')
  
  optional_policy(`
-@@ -123,31 +179,33 @@
+@@ -123,31 +181,33 @@
  ')
  
  optional_policy(`
@@ -29823,7 +29852,7 @@
  ')
  
  optional_policy(`
-@@ -159,43 +217,48 @@
+@@ -159,43 +219,48 @@
  ')
  
  optional_policy(`
@@ -29832,9 +29861,9 @@
 -	# cjp: this should probably be removed:
 -	postfix_domtrans_master(unconfined_t)
 -')
--
 +	qemu_per_role_template_notrans(unconfined, unconfined_t, unconfined_r)
  
+-
 -optional_policy(`
 -	pyzor_per_role_template(unconfined)
 +	tunable_policy(`allow_unconfined_qemu_transition',`
@@ -29888,7 +29917,7 @@
  ')
  
  optional_policy(`
-@@ -203,7 +266,7 @@
+@@ -203,7 +268,7 @@
  ')
  
  optional_policy(`
@@ -29897,7 +29926,7 @@
  ')
  
  optional_policy(`
-@@ -215,11 +278,12 @@
+@@ -215,11 +280,12 @@
  ')
  
  optional_policy(`
@@ -29912,7 +29941,7 @@
  ')
  
  ########################################
-@@ -229,14 +293,52 @@
+@@ -229,14 +295,50 @@
  
  allow unconfined_execmem_t self:process { execstack execmem };
  unconfined_domain_noaudit(unconfined_execmem_t)
@@ -29958,13 +29987,11 @@
 +	domtrans_pattern(unconfined_t, mplayer_exec_t, unconfined_execmem_t)
 +')
 +
-+optional_policy(`
-+	tunable_policy(`allow_unconfined_nsplugin_transition',`', `
-+		gen_require(`
-+			type mozilla_exec_t;
-+		')
-+		domtrans_pattern(unconfined_t, mozilla_exec_t, unconfined_execmem_t)
++tunable_policy(`allow_unconfined_nsplugin_transition',`', `
++	gen_require(`
++		type mozilla_exec_t;
 +	')
++	domtrans_pattern(unconfined_t, mozilla_exec_t, unconfined_execmem_t)
 +')
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.5.13/policy/modules/system/userdomain.fc


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.733
retrieving revision 1.734
diff -u -r1.733 -r1.734
--- selinux-policy.spec	24 Oct 2008 13:41:09 -0000	1.733
+++ selinux-policy.spec	25 Oct 2008 11:14:56 -0000	1.734
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.5.13
-Release: 7%{?dist}
+Release: 8%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -462,6 +462,9 @@
 %endif
 
 %changelog
+* Fri Oct 24 2008 Dan Walsh <dwalsh at redhat.com> 3.5.13-8
+- Allow mozilla to run with unconfined_execmem_t
+
 * Thu Oct 23 2008 Dan Walsh <dwalsh at redhat.com> 3.5.13-7
 - Dontaudit domains trying to write to .xsession-errors

More information about the scm-commits mailing list