rpms/selinux-policy/devel policy-20080710.patch, 1.79, 1.80 selinux-policy.spec, 1.737, 1.738
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Oct 29 17:04:29 UTC 2008
- Previous message: rpms/policycoreutils/devel policycoreutils-gui.patch, 1.79, 1.80 policycoreutils-po.patch, 1.42, 1.43 policycoreutils.spec, 1.567, 1.568
- Next message: rpms/ksplice/devel .cvsignore,1.3,1.4 sources,1.3,1.4
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv8239
Modified Files:
policy-20080710.patch selinux-policy.spec
Log Message:
* Wed Oct 29 2008 Dan Walsh <dwalsh at redhat.com> 3.5.13-10
- Fix confined users
- Allow xguest to read/write xguest_dbusd_t
policy-20080710.patch:
Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20080710.patch,v
retrieving revision 1.79
retrieving revision 1.80
diff -u -r1.79 -r1.80
--- policy-20080710.patch 28 Oct 2008 23:22:15 -0000 1.79
+++ policy-20080710.patch 29 Oct 2008 17:03:57 -0000 1.80
@@ -557,8 +557,17 @@
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.5.13/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2008-10-14 11:58:10.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/admin/netutils.te 2008-10-28 10:56:19.000000000 -0400
-@@ -149,6 +149,10 @@
++++ serefpolicy-3.5.13/policy/modules/admin/netutils.te 2008-10-29 09:05:23.000000000 -0400
+@@ -130,6 +130,8 @@
+ files_read_etc_files(ping_t)
+ files_dontaudit_search_var(ping_t)
+
++kernel_read_system_state(ping_t)
++
+ auth_use_nsswitch(ping_t)
+
+ libs_use_ld_so(ping_t)
+@@ -149,6 +151,10 @@
')
optional_policy(`
@@ -6192,6 +6201,37 @@
')
########################################
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.if.in
+--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2008-08-07 11:15:01.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.if.in 2008-10-29 11:09:14.000000000 -0400
+@@ -1441,10 +1441,11 @@
+ #
+ interface(`corenet_tcp_bind_all_unreserved_ports',`
+ gen_require(`
+- attribute port_type, reserved_port_type;
++ attribute port_type;
++ type hi_reserved_port_t, reserved_port_t;
+ ')
+
+- allow $1 { port_type -reserved_port_type }:tcp_socket name_bind;
++ allow $1 { port_type -hi_reserved_port_t -reserved_port_t }:tcp_socket name_bind;
+ ')
+
+ ########################################
+@@ -1459,10 +1460,11 @@
+ #
+ interface(`corenet_udp_bind_all_unreserved_ports',`
+ gen_require(`
+- attribute port_type, reserved_port_type;
++ attribute port_type;
++ type hi_reserved_port_t, reserved_port_t;
+ ')
+
+- allow $1 { port_type -reserved_port_type }:udp_socket name_bind;
++ allow $1 { port_type -hi_reserved_port_t -reserved_port_t }:udp_socket name_bind;
+ ')
+
+ ########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-10-14 11:58:07.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in 2008-10-28 10:56:19.000000000 -0400
@@ -7495,7 +7535,7 @@
#
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.5.13/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2008-08-14 13:08:27.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.if 2008-10-28 10:56:19.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.if 2008-10-29 08:25:22.000000000 -0400
@@ -535,6 +535,24 @@
########################################
@@ -8816,7 +8856,7 @@
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.5.13/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/roles/sysadm.te 2008-10-28 11:25:32.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/roles/sysadm.te 2008-10-29 12:00:43.000000000 -0400
@@ -15,7 +14,7 @@
role sysadm_r;
@@ -8826,6 +8866,19 @@
ifndef(`enable_mls',`
userdom_security_admin_template(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+@@ -109,9 +108,9 @@
+ consoletype_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ ')
+
+-optional_policy(`
+- cron_admin_template(sysadm)
+-')
++#optional_policy(`
++# cron_admin_template(sysadm)
++#')
+
+ optional_policy(`
+ cvs_exec(sysadm_t)
@@ -171,6 +170,10 @@
')
@@ -10666,7 +10719,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.13/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2008-10-16 17:21:16.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-10-28 10:56:19.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-10-29 08:27:18.000000000 -0400
@@ -20,6 +20,8 @@
# Declarations
#
@@ -10898,7 +10951,7 @@
')
')
-@@ -370,20 +440,45 @@
+@@ -370,20 +440,54 @@
corenet_tcp_connect_all_ports(httpd_t)
')
@@ -10935,6 +10988,15 @@
+ miscfiles_manage_public_files(httpd_sys_script_t)
+')
+
++tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
++ fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
++')
++
++tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
++ fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
++')
++
++
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
- domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
+ domtrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_script_t)
@@ -10945,7 +11007,7 @@
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -394,11 +489,12 @@
+@@ -394,11 +498,12 @@
corenet_tcp_bind_ftp_port(httpd_t)
')
@@ -10961,7 +11023,7 @@
fs_read_nfs_files(httpd_t)
fs_read_nfs_symlinks(httpd_t)
')
-@@ -408,6 +504,11 @@
+@@ -408,6 +513,11 @@
fs_read_cifs_symlinks(httpd_t)
')
@@ -10973,7 +11035,7 @@
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -441,8 +542,13 @@
+@@ -441,8 +551,13 @@
')
optional_policy(`
@@ -10989,7 +11051,7 @@
')
optional_policy(`
-@@ -454,18 +560,13 @@
+@@ -454,18 +569,13 @@
')
optional_policy(`
@@ -11009,7 +11071,7 @@
')
optional_policy(`
-@@ -475,6 +576,12 @@
+@@ -475,6 +585,12 @@
openca_kill(httpd_t)
')
@@ -11022,7 +11084,7 @@
optional_policy(`
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
-@@ -482,6 +589,7 @@
+@@ -482,6 +598,7 @@
tunable_policy(`httpd_can_network_connect_db',`
postgresql_tcp_connect(httpd_t)
@@ -11030,7 +11092,7 @@
')
')
-@@ -490,6 +598,7 @@
+@@ -490,6 +607,7 @@
')
optional_policy(`
@@ -11038,7 +11100,7 @@
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -519,9 +628,28 @@
+@@ -519,9 +637,28 @@
logging_send_syslog_msg(httpd_helper_t)
tunable_policy(`httpd_tty_comm',`
@@ -11067,7 +11129,7 @@
########################################
#
# Apache PHP script local policy
-@@ -551,22 +679,27 @@
+@@ -551,22 +688,27 @@
fs_search_auto_mountpoints(httpd_php_t)
@@ -11101,7 +11163,7 @@
')
########################################
-@@ -584,12 +717,14 @@
+@@ -584,12 +726,14 @@
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
@@ -11117,7 +11179,7 @@
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -598,9 +733,7 @@
+@@ -598,9 +742,7 @@
fs_search_auto_mountpoints(httpd_suexec_t)
@@ -11128,7 +11190,7 @@
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -633,12 +766,25 @@
+@@ -633,12 +775,25 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -11157,7 +11219,7 @@
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -647,6 +793,12 @@
+@@ -647,6 +802,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -11170,7 +11232,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -664,20 +816,20 @@
+@@ -664,20 +825,20 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -11196,7 +11258,7 @@
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
-@@ -691,12 +843,15 @@
+@@ -691,12 +852,15 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -11214,7 +11276,7 @@
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -704,6 +859,30 @@
+@@ -704,6 +868,30 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -11245,7 +11307,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -716,10 +895,10 @@
+@@ -716,10 +904,10 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -11260,7 +11322,7 @@
')
########################################
-@@ -727,6 +906,8 @@
+@@ -727,6 +915,8 @@
# httpd_rotatelogs local policy
#
@@ -11269,7 +11331,7 @@
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
-@@ -741,3 +922,66 @@
+@@ -741,3 +931,66 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -12503,7 +12565,7 @@
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.5.13/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/cron.if 2008-10-28 10:56:19.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/cron.if 2008-10-29 11:57:59.000000000 -0400
@@ -35,39 +35,24 @@
#
template(`cron_per_role_template',`
@@ -13762,7 +13824,7 @@
/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.5.13/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/dbus.if 2008-10-28 10:56:19.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/dbus.if 2008-10-29 11:24:31.000000000 -0400
@@ -53,19 +53,19 @@
gen_require(`
type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
@@ -13796,7 +13858,7 @@
# For connecting to the bus
- allow $2 $1_dbusd_t:unix_stream_socket connectto;
- type_change $2 $1_dbusd_t:dbus $1_dbusd_$1_t;
-+ allow $2 $1_dbusd_t:unix_stream_socket { getattr connectto };
++ allow $2 $1_dbusd_t:unix_stream_socket { rw_socket_perms connectto };
+ allow $2 $1_dbusd_t:unix_dgram_socket getattr;
+ allow $1_dbusd_t $2:unix_stream_socket rw_socket_perms;
@@ -16571,7 +16633,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.5.13/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/munin.te 2008-10-28 10:56:19.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/munin.te 2008-10-28 19:45:12.000000000 -0400
@@ -13,6 +13,9 @@
type munin_etc_t alias lrrd_etc_t;
files_config_file(munin_etc_t)
@@ -16637,7 +16699,7 @@
dev_read_urand(munin_t)
domain_use_interactive_fds(munin_t)
-+domain_dontaudit_read_all_domains_state(munin_t)
++domain_read_all_domains_state(munin_t)
files_read_etc_files(munin_t)
files_read_etc_runtime_files(munin_t)
@@ -19584,7 +19646,7 @@
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.5.13/policy/modules/services/ppp.te
--- nsaserefpolicy/policy/modules/services/ppp.te 2008-10-16 17:21:16.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/ppp.te 2008-10-28 10:56:19.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/ppp.te 2008-10-29 10:47:55.000000000 -0400
@@ -37,8 +37,8 @@
type pppd_etc_rw_t;
files_type(pppd_etc_rw_t)
@@ -19669,7 +19731,7 @@
miscfiles_read_localization(pptp_t)
sysnet_read_config(pptp_t)
-+sysnet_exec_ifconfig(pppd_t)
++sysnet_exec_ifconfig(pptp_t)
userdom_dontaudit_use_unpriv_user_fds(pptp_t)
@@ -29047,7 +29109,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.5.13/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2008-10-16 17:21:16.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.te 2008-10-28 10:56:19.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.te 2008-10-29 09:04:33.000000000 -0400
@@ -20,6 +20,9 @@
init_daemon_domain(dhcpc_t,dhcpc_exec_t)
role system_r types dhcpc_t;
@@ -30086,7 +30148,7 @@
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.13/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-08-07 11:15:12.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2008-10-28 12:38:58.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2008-10-29 11:53:44.000000000 -0400
@@ -28,10 +28,14 @@
class context contains;
')
@@ -30696,7 +30758,18 @@
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
-@@ -699,188 +672,206 @@
+@@ -686,10 +659,6 @@
+
+ userdom_exec_generic_pgms_template($1)
+
+- optional_policy(`
+- userdom_xwindows_client_template($1)
+- ')
+-
+ ##############################
+ #
+ # User domain Local policy
+@@ -699,188 +668,204 @@
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -30786,10 +30859,8 @@
- auth_read_login_records($1_t)
- auth_search_pam_console_data($1_t)
+ auth_read_login_records($1_usertype)
-+ auth_search_pam_console_data($1_usertype)
auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
-+ authlogin_per_role_template($1, $1_t, $1_r)
- init_read_utmp($1_t)
+ init_read_utmp($1_usertype)
@@ -30983,7 +31054,7 @@
')
#######################################
-@@ -902,9 +893,7 @@
+@@ -902,9 +887,7 @@
## </param>
#
template(`userdom_login_user_template', `
@@ -30994,7 +31065,7 @@
userdom_base_user_template($1)
-@@ -930,74 +919,77 @@
+@@ -930,74 +913,77 @@
allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
dontaudit $1_t self:process setrlimit;
@@ -31105,7 +31176,7 @@
')
')
-@@ -1031,9 +1023,6 @@
+@@ -1031,9 +1017,6 @@
domain_interactive_fd($1_t)
typeattribute $1_devpts_t user_ptynode;
@@ -31115,7 +31186,7 @@
typeattribute $1_tty_device_t user_ttynode;
##############################
-@@ -1042,12 +1031,25 @@
+@@ -1042,12 +1025,25 @@
#
# privileged home directory writers
@@ -31147,7 +31218,17 @@
optional_policy(`
loadkeys_run($1_t,$1_r,$1_tty_device_t)
-@@ -1087,14 +1089,16 @@
+@@ -1079,7 +1075,9 @@
+
+ userdom_restricted_user_template($1)
+
++ optional_policy(`
+ userdom_xwindows_client_template($1)
++ ')
+
+ ##############################
+ #
+@@ -1087,14 +1085,16 @@
#
authlogin_per_role_template($1, $1_t, $1_r)
@@ -31169,23 +31250,23 @@
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -1102,28 +1106,19 @@
+@@ -1102,28 +1102,19 @@
selinux_get_enforce_mode($1_t)
optional_policy(`
- alsa_read_rw_config($1_t)
-+ alsa_read_rw_config($1_usertype)
- ')
-
- optional_policy(`
+- ')
+-
+- optional_policy(`
- dbus_per_role_template($1, $1_t, $1_r)
- dbus_system_bus_client_template($1, $1_t)
-
- optional_policy(`
- consolekit_dbus_chat($1_t)
-- ')
--
-- optional_policy(`
++ alsa_read_rw_config($1_usertype)
+ ')
+
+ optional_policy(`
- cups_dbus_chat($1_t)
- ')
+ apache_per_role_template($1, $1_usertype, $1_r)
@@ -31202,7 +31283,7 @@
')
')
-@@ -1134,8 +1129,7 @@
+@@ -1134,8 +1125,7 @@
## </summary>
## <desc>
## <p>
@@ -31212,17 +31293,17 @@
## </p>
## <p>
## This template creates a user domain, types, and
-@@ -1157,8 +1151,8 @@
+@@ -1157,8 +1147,8 @@
# Declarations
#
-+ userdom_login_user_template($1)
++ userdom_restricted_xwindows_user_template($1)
# Inherit rules for ordinary users.
- userdom_restricted_user_template($1)
userdom_common_user_template($1)
##############################
-@@ -1167,11 +1161,10 @@
+@@ -1167,11 +1157,10 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -31235,7 +31316,7 @@
# cjp: why?
files_read_kernel_symbol_table($1_t)
-@@ -1189,36 +1182,41 @@
+@@ -1189,36 +1178,41 @@
')
')
@@ -31290,7 +31371,7 @@
')
')
-@@ -1263,8 +1261,7 @@
+@@ -1263,8 +1257,7 @@
#
# Inherit rules for ordinary users.
@@ -31300,7 +31381,7 @@
typeattribute $1_t privhome;
domain_obj_id_change_exemption($1_t)
-@@ -1295,8 +1292,6 @@
+@@ -1295,8 +1288,6 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -31309,7 +31390,7 @@
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1318,8 +1313,6 @@
+@@ -1318,8 +1309,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -31318,7 +31399,7 @@
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1374,13 +1367,6 @@
+@@ -1374,13 +1363,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -31332,7 +31413,7 @@
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1432,6 +1418,7 @@
+@@ -1432,6 +1414,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -31340,7 +31421,7 @@
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1461,10 +1448,6 @@
+@@ -1461,10 +1444,6 @@
seutil_run_semanage($1,$2,$3)
seutil_run_setfiles($1, $2, $3)
@@ -31351,7 +31432,7 @@
optional_policy(`
aide_run($1,$2, $3)
')
-@@ -1484,6 +1467,14 @@
+@@ -1484,6 +1463,14 @@
optional_policy(`
netlabel_run_mgmt($1,$2, $3)
')
@@ -31366,7 +31447,7 @@
')
########################################
-@@ -1741,11 +1732,15 @@
+@@ -1741,11 +1728,15 @@
#
template(`userdom_user_home_content',`
gen_require(`
@@ -31385,7 +31466,7 @@
')
########################################
-@@ -1841,11 +1836,11 @@
+@@ -1841,11 +1832,11 @@
#
template(`userdom_search_user_home_dirs',`
gen_require(`
@@ -31399,7 +31480,7 @@
')
########################################
-@@ -1875,11 +1870,11 @@
+@@ -1875,11 +1866,11 @@
#
template(`userdom_list_user_home_dirs',`
gen_require(`
@@ -31413,7 +31494,7 @@
')
########################################
-@@ -1923,12 +1918,12 @@
+@@ -1923,12 +1914,12 @@
#
template(`userdom_user_home_domtrans',`
gen_require(`
@@ -31429,7 +31510,7 @@
')
########################################
-@@ -1958,10 +1953,11 @@
+@@ -1958,10 +1949,11 @@
#
template(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
@@ -31443,7 +31524,7 @@
')
########################################
-@@ -1993,11 +1989,47 @@
+@@ -1993,11 +1985,47 @@
#
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
@@ -31493,7 +31574,7 @@
')
########################################
-@@ -2029,10 +2061,10 @@
+@@ -2029,10 +2057,10 @@
#
template(`userdom_dontaudit_setattr_user_home_content_files',`
gen_require(`
@@ -31506,7 +31587,7 @@
')
########################################
-@@ -2062,11 +2094,11 @@
+@@ -2062,11 +2090,11 @@
#
template(`userdom_read_user_home_content_files',`
gen_require(`
@@ -31520,7 +31601,7 @@
')
########################################
-@@ -2096,11 +2128,11 @@
+@@ -2096,11 +2124,11 @@
#
template(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -31535,7 +31616,7 @@
')
########################################
-@@ -2130,10 +2162,14 @@
+@@ -2130,10 +2158,14 @@
#
template(`userdom_dontaudit_write_user_home_content_files',`
gen_require(`
@@ -31552,7 +31633,7 @@
')
########################################
-@@ -2163,11 +2199,11 @@
+@@ -2163,11 +2195,11 @@
#
template(`userdom_read_user_home_content_symlinks',`
gen_require(`
@@ -31566,7 +31647,7 @@
')
########################################
-@@ -2197,11 +2233,11 @@
+@@ -2197,11 +2229,11 @@
#
template(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -31580,7 +31661,7 @@
')
########################################
-@@ -2231,10 +2267,10 @@
+@@ -2231,10 +2263,10 @@
#
template(`userdom_dontaudit_exec_user_home_content_files',`
gen_require(`
@@ -31593,7 +31674,7 @@
')
########################################
-@@ -2266,12 +2302,12 @@
+@@ -2266,12 +2298,12 @@
#
template(`userdom_manage_user_home_content_files',`
gen_require(`
@@ -31609,7 +31690,7 @@
')
########################################
-@@ -2303,10 +2339,10 @@
+@@ -2303,10 +2335,10 @@
#
template(`userdom_dontaudit_manage_user_home_content_dirs',`
gen_require(`
@@ -31622,7 +31703,7 @@
')
########################################
-@@ -2338,12 +2374,12 @@
+@@ -2338,12 +2370,12 @@
#
template(`userdom_manage_user_home_content_symlinks',`
gen_require(`
@@ -31638,7 +31719,7 @@
')
########################################
-@@ -2375,12 +2411,12 @@
+@@ -2375,12 +2407,12 @@
#
template(`userdom_manage_user_home_content_pipes',`
gen_require(`
@@ -31654,7 +31735,7 @@
')
########################################
-@@ -2412,12 +2448,12 @@
+@@ -2412,12 +2444,12 @@
#
template(`userdom_manage_user_home_content_sockets',`
gen_require(`
@@ -31670,7 +31751,7 @@
')
########################################
-@@ -2462,11 +2498,11 @@
+@@ -2462,11 +2494,11 @@
#
template(`userdom_user_home_dir_filetrans',`
gen_require(`
@@ -31684,7 +31765,7 @@
')
########################################
-@@ -2511,11 +2547,11 @@
+@@ -2511,11 +2543,11 @@
#
template(`userdom_user_home_content_filetrans',`
gen_require(`
@@ -31698,7 +31779,7 @@
')
########################################
-@@ -2555,11 +2591,11 @@
+@@ -2555,11 +2587,11 @@
#
template(`userdom_user_home_dir_filetrans_user_home_content',`
gen_require(`
@@ -31712,7 +31793,7 @@
')
########################################
-@@ -2589,11 +2625,11 @@
+@@ -2589,11 +2621,11 @@
#
template(`userdom_write_user_tmp_sockets',`
gen_require(`
@@ -31726,7 +31807,7 @@
')
########################################
-@@ -2623,11 +2659,11 @@
+@@ -2623,11 +2655,11 @@
#
template(`userdom_list_user_tmp',`
gen_require(`
@@ -31740,7 +31821,7 @@
')
########################################
-@@ -2659,10 +2695,10 @@
+@@ -2659,10 +2691,10 @@
#
template(`userdom_dontaudit_list_user_tmp',`
gen_require(`
@@ -31753,7 +31834,7 @@
')
########################################
-@@ -2694,10 +2730,10 @@
+@@ -2694,10 +2726,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_dirs',`
gen_require(`
@@ -31766,7 +31847,7 @@
')
########################################
-@@ -2727,12 +2763,12 @@
+@@ -2727,12 +2759,12 @@
#
template(`userdom_read_user_tmp_files',`
gen_require(`
@@ -31782,7 +31863,7 @@
')
########################################
-@@ -2764,10 +2800,10 @@
+@@ -2764,10 +2796,10 @@
#
template(`userdom_dontaudit_read_user_tmp_files',`
gen_require(`
@@ -31795,7 +31876,7 @@
')
########################################
-@@ -2799,10 +2835,10 @@
+@@ -2799,10 +2831,10 @@
#
template(`userdom_dontaudit_append_user_tmp_files',`
gen_require(`
@@ -31808,7 +31889,7 @@
')
########################################
-@@ -2832,12 +2868,12 @@
+@@ -2832,12 +2864,12 @@
#
template(`userdom_rw_user_tmp_files',`
gen_require(`
@@ -31824,7 +31905,7 @@
')
########################################
-@@ -2869,10 +2905,10 @@
+@@ -2869,10 +2901,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_files',`
gen_require(`
@@ -31837,7 +31918,7 @@
')
########################################
-@@ -2904,12 +2940,12 @@
+@@ -2904,12 +2936,12 @@
#
template(`userdom_read_user_tmp_symlinks',`
gen_require(`
@@ -31853,7 +31934,7 @@
')
########################################
-@@ -2941,11 +2977,11 @@
+@@ -2941,11 +2973,11 @@
#
template(`userdom_manage_user_tmp_dirs',`
gen_require(`
@@ -31867,7 +31948,7 @@
')
########################################
-@@ -2977,11 +3013,11 @@
+@@ -2977,11 +3009,11 @@
#
template(`userdom_manage_user_tmp_files',`
gen_require(`
@@ -31881,7 +31962,7 @@
')
########################################
-@@ -3013,11 +3049,11 @@
+@@ -3013,11 +3045,11 @@
#
template(`userdom_manage_user_tmp_symlinks',`
gen_require(`
@@ -31895,7 +31976,7 @@
')
########################################
-@@ -3049,11 +3085,11 @@
+@@ -3049,11 +3081,11 @@
#
template(`userdom_manage_user_tmp_pipes',`
gen_require(`
@@ -31909,7 +31990,7 @@
')
########################################
-@@ -3085,11 +3121,11 @@
+@@ -3085,11 +3117,11 @@
#
template(`userdom_manage_user_tmp_sockets',`
gen_require(`
@@ -31923,7 +32004,7 @@
')
########################################
-@@ -3134,10 +3170,10 @@
+@@ -3134,10 +3166,10 @@
#
template(`userdom_user_tmp_filetrans',`
gen_require(`
@@ -31936,7 +32017,7 @@
files_search_tmp($2)
')
-@@ -3178,19 +3214,19 @@
+@@ -3178,19 +3210,19 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -31960,7 +32041,7 @@
## </p>
## <p>
## This is a templated interface, and should only
-@@ -3211,13 +3247,13 @@
+@@ -3211,13 +3243,13 @@
#
template(`userdom_rw_user_tmpfs_files',`
gen_require(`
@@ -31978,7 +32059,7 @@
')
########################################
-@@ -4616,11 +4652,11 @@
+@@ -4616,11 +4648,11 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -31992,7 +32073,7 @@
')
########################################
-@@ -4640,6 +4676,14 @@
+@@ -4640,6 +4672,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -32007,7 +32088,7 @@
')
########################################
-@@ -4677,6 +4721,8 @@
+@@ -4677,6 +4717,8 @@
')
dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
@@ -32016,7 +32097,7 @@
')
########################################
-@@ -4721,6 +4767,25 @@
+@@ -4721,6 +4763,25 @@
########################################
## <summary>
@@ -32042,7 +32123,7 @@
## Create, read, write, and delete all files
## in all users home directories.
## </summary>
-@@ -4946,7 +5011,7 @@
+@@ -4946,7 +5007,7 @@
########################################
## <summary>
@@ -32051,7 +32132,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -5318,7 +5383,7 @@
+@@ -5318,7 +5379,7 @@
########################################
## <summary>
@@ -32060,7 +32141,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -5326,18 +5391,17 @@
+@@ -5326,18 +5387,17 @@
## </summary>
## </param>
#
@@ -32083,7 +32164,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -5345,17 +5409,17 @@
+@@ -5345,17 +5405,17 @@
## </summary>
## </param>
#
@@ -32105,7 +32186,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -5363,18 +5427,18 @@
+@@ -5363,18 +5423,18 @@
## </summary>
## </param>
#
@@ -32129,18 +32210,16 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -5382,12 +5446,49 @@
+@@ -5382,7 +5442,44 @@
## </summary>
## </param>
#
-interface(`userdom_getattr_all_users',`
+interface(`userdom_dontaudit_use_unpriv_users_ttys',`
- gen_require(`
-- attribute userdomain;
++ gen_require(`
+ attribute user_ttynode;
- ')
-
-- allow $1 userdomain:process getattr;
++ ')
++
+ dontaudit $1 user_ttynode:chr_file rw_file_perms;
+')
+
@@ -32174,15 +32253,10 @@
+## </param>
+#
+interface(`userdom_getattr_all_users',`
-+ gen_require(`
-+ attribute userdomain;
-+ ')
-+
-+ allow $1 userdomain:process getattr;
- ')
-
- ########################################
-@@ -5483,6 +5584,42 @@
+ gen_require(`
+ attribute userdomain;
+ ')
+@@ -5483,6 +5580,42 @@
########################################
## <summary>
@@ -32225,7 +32299,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5513,3 +5650,548 @@
+@@ -5513,3 +5646,546 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -32593,9 +32667,7 @@
+#
+template(`userdom_admin_login_user_template',`
+
-+ userdom_login_user_template($1)
-+
-+ allow $1_t self:capability sys_nice;
++ userdom_unpriv_user_template($1)
+
+ domain_read_all_domains_state($1_t)
+ domain_getattr_all_domains($1_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.737
retrieving revision 1.738
diff -u -r1.737 -r1.738
--- selinux-policy.spec 28 Oct 2008 23:22:15 -0000 1.737
+++ selinux-policy.spec 29 Oct 2008 17:03:58 -0000 1.738
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.5.13
-Release: 9%{?dist}
+Release: 10%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -457,6 +457,10 @@
%endif
%changelog
+* Wed Oct 29 2008 Dan Walsh <dwalsh at redhat.com> 3.5.13-10
+- Fix confined users
+- Allow xguest to read/write xguest_dbusd_t
+
* Mon Oct 27 2008 Dan Walsh <dwalsh at redhat.com> 3.5.13-9
- Allow openoffice execstack/execmem privs
- Previous message: rpms/policycoreutils/devel policycoreutils-gui.patch, 1.79, 1.80 policycoreutils-po.patch, 1.42, 1.43 policycoreutils.spec, 1.567, 1.568
- Next message: rpms/ksplice/devel .cvsignore,1.3,1.4 sources,1.3,1.4
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list