rpms/selinux-policy/F-10 policy-20080710.patch, 1.158, 1.159 selinux-policy.spec, 1.786, 1.787
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Apr 7 12:15:40 UTC 2009
- Previous message: rpms/imsettings/devel .cvsignore, 1.13, 1.14 imsettings.spec, 1.27, 1.28 sources, 1.12, 1.13 imsettings-xim-fixes.patch, 1.2, NONE
- Next message: rpms/konq-plugins/F-10 konq-plugins.spec, 1.13, 1.14 sources, 1.9, 1.10
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: mgrepl
Update of /cvs/extras/rpms/selinux-policy/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv19566
Modified Files:
policy-20080710.patch selinux-policy.spec
Log Message:
- Add qemu_use_comm boolean
policy-20080710.patch:
Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/policy-20080710.patch,v
retrieving revision 1.158
retrieving revision 1.159
diff -u -r1.158 -r1.159
--- policy-20080710.patch 3 Apr 2009 13:33:31 -0000 1.158
+++ policy-20080710.patch 7 Apr 2009 12:15:38 -0000 1.159
@@ -5844,7 +5844,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.5.13/policy/modules/apps/qemu.te
--- nsaserefpolicy/policy/modules/apps/qemu.te 2008-10-17 14:49:14.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/apps/qemu.te 2009-02-26 15:42:13.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/apps/qemu.te 2009-04-06 22:47:33.000000000 +0200
@@ -6,6 +6,9 @@
# Declarations
#
@@ -5855,7 +5855,7 @@
## <desc>
## <p>
## Allow qemu to connect fully to the network
-@@ -13,16 +16,120 @@
+@@ -13,16 +16,128 @@
## </desc>
gen_tunable(qemu_full_network, false)
@@ -5880,6 +5880,14 @@
+## </desc>
+gen_tunable(qemu_use_usb, true)
+
++## <desc>
++## <p>
++## Allow qemu to user serial/parallell communication ports
++## </p>
++## </desc>
++gen_tunable(qemu_use_comm, false)
++
++
type qemu_exec_t;
qemu_domain_template(qemu)
application_domain(qemu_t, qemu_exec_t)
@@ -5976,10 +5984,15 @@
tunable_policy(`qemu_full_network',`
allow qemu_t self:udp_socket create_socket_perms;
-@@ -35,6 +142,38 @@
+@@ -35,6 +150,43 @@
corenet_tcp_connect_all_ports(qemu_t)
')
++tunable_policy(`qemu_use_comm',`
++ term_use_unallocated_ttys(qemu_t)
++ dev_rw_printer(qemu_t)
++')
++
+tunable_policy(`qemu_use_cifs',`
+ fs_manage_cifs_dirs(qemu_t)
+ fs_manage_cifs_files(qemu_t)
@@ -7200,7 +7213,7 @@
network_port(xfs, tcp,7100,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.5.13/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2008-10-17 14:49:14.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/kernel/devices.fc 2009-04-03 15:22:46.000000000 +0200
++++ serefpolicy-3.5.13/policy/modules/kernel/devices.fc 2009-04-07 09:18:47.000000000 +0200
@@ -1,8 +1,9 @@
/dev -d gen_context(system_u:object_r:device_t,s0)
@@ -7212,7 +7225,7 @@
/dev/admmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/adsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/(misc/)?agpgart -c gen_context(system_u:object_r:agp_device_t,s0)
-@@ -12,44 +13,65 @@
+@@ -12,44 +13,66 @@
/dev/apm_bios -c gen_context(system_u:object_r:apm_bios_t,s0)
/dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0)
@@ -7250,6 +7263,7 @@
+/dev/kqemu -c gen_context(system_u:object_r:qemu_device_t,s0)
+/dev/kvm -c gen_context(system_u:object_r:kvm_device_t,s0)
+/dev/lik.* -c gen_context(system_u:object_r:event_device_t,s0)
++/dev/lirc[0-9]+ -c gen_context(system_u:object_r:lirc_device_t,s0)
/dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
@@ -7278,7 +7292,7 @@
/dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
/dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0)
-@@ -68,18 +90,20 @@
+@@ -68,18 +91,20 @@
/dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
@@ -7302,7 +7316,7 @@
/dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/watchdog -c gen_context(system_u:object_r:watchdog_device_t,s0)
-@@ -91,14 +115,20 @@
+@@ -91,14 +116,20 @@
/dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
@@ -7324,7 +7338,7 @@
/dev/input/event.* -c gen_context(system_u:object_r:event_device_t,s0)
/dev/input/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/input/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
-@@ -106,10 +136,15 @@
+@@ -106,10 +137,15 @@
/dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0)
@@ -7342,7 +7356,7 @@
/dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.5.13/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/kernel/devices.if 2009-04-03 10:50:33.000000000 +0200
++++ serefpolicy-3.5.13/policy/modules/kernel/devices.if 2009-04-06 22:35:09.000000000 +0200
@@ -65,7 +65,7 @@
relabelfrom_dirs_pattern($1, device_t, device_node)
@@ -7535,7 +7549,7 @@
')
########################################
-@@ -1507,6 +1638,96 @@
+@@ -1507,6 +1638,151 @@
########################################
## <summary>
@@ -7627,12 +7641,67 @@
+ rw_chr_files_pattern($1, device_t, kvm_device_t)
+')
+
++#######################################
++## <summary>
++## Read the lirc device.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_read_lirc',`
++ gen_require(`
++ type device_t, lirc_device_t;
++ ')
++
++ read_chr_files_pattern($1, device_t, lirc_device_t)
++')
++
++#######################################
++## <summary>
++## Read and write the lirc device.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_rw_lirc',`
++ gen_require(`
++ type device_t, lirc_device_t;
++ ')
++
++ rw_chr_files_pattern($1, device_t, lirc_device_t)
++')
++
++#######################################
++## <summary>
++## Automatic type transition to the type
++## for lirc device nodes when created in /dev.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_filetrans_lirc',`
++ gen_require(`
++ type device_t, lirc_device_t;
++ ')
++
++ filetrans_pattern($1, device_t, lirc_device_t, chr_file)
++')
++
+########################################
+## <summary>
## Read the lvm comtrol device.
## </summary>
## <param name="domain">
-@@ -1958,6 +2179,96 @@
+@@ -1958,6 +2234,96 @@
########################################
## <summary>
@@ -7729,7 +7798,7 @@
## Read and write to the null device (/dev/null).
## </summary>
## <param name="domain">
-@@ -2104,6 +2415,98 @@
+@@ -2104,6 +2470,98 @@
########################################
## <summary>
@@ -7828,7 +7897,7 @@
## Read from random number generator
## devices (e.g., /dev/random)
## </summary>
-@@ -2142,6 +2545,25 @@
+@@ -2142,6 +2600,25 @@
########################################
## <summary>
@@ -7854,7 +7923,7 @@
## Write to the random device (e.g., /dev/random). This adds
## entropy used to generate the random data read from the
## random device.
-@@ -2769,6 +3191,24 @@
+@@ -2769,6 +3246,24 @@
########################################
## <summary>
@@ -7879,7 +7948,7 @@
## Read and write generic the USB devices.
## </summary>
## <param name="domain">
-@@ -2957,6 +3397,25 @@
+@@ -2957,6 +3452,25 @@
read_lnk_files_pattern($1, usbfs_t, usbfs_t)
')
@@ -7905,7 +7974,7 @@
########################################
## <summary>
## Get the attributes of video4linux devices.
-@@ -3322,3 +3781,22 @@
+@@ -3322,3 +3836,22 @@
typeattribute $1 devices_unconfined_type;
')
@@ -7930,7 +7999,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.5.13/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/kernel/devices.te 2009-04-03 10:51:23.000000000 +0200
++++ serefpolicy-3.5.13/policy/modules/kernel/devices.te 2009-04-07 00:12:12.000000000 +0200
@@ -1,5 +1,5 @@
-policy_module(devices, 1.7.0)
@@ -7951,7 +8020,7 @@
type cardmgr_dev_t;
dev_node(cardmgr_dev_t)
files_tmp_file(cardmgr_dev_t)
-@@ -66,12 +72,25 @@
+@@ -66,12 +72,31 @@
dev_node(framebuf_device_t)
#
@@ -7974,10 +8043,16 @@
+dev_node(kvm_device_t)
+
+#
++## Type for /dev/lirc
++##
++type lirc_device_t;
++dev_node(lirc_device_t)
++
++#
# Type for /dev/mapper/control
#
type lvm_control_t;
-@@ -104,6 +123,12 @@
+@@ -104,6 +129,12 @@
genfscon proc /mtrr gen_context(system_u:object_r:mtrr_device_t,s0)
#
@@ -7990,7 +8065,7 @@
# null_device_t is the type of /dev/null.
#
type null_device_t;
-@@ -128,6 +153,12 @@
+@@ -128,6 +159,12 @@
mls_file_write_within_range(printer_device_t)
#
@@ -8003,7 +8078,7 @@
# random_device_t is the type of /dev/random
#
type random_device_t;
-@@ -157,6 +188,12 @@
+@@ -157,6 +194,12 @@
genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
#
@@ -16003,15 +16078,16 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.fc serefpolicy-3.5.13/policy/modules/services/dcc.fc
--- nsaserefpolicy/policy/modules/services/dcc.fc 2008-10-17 14:49:11.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/dcc.fc 2009-03-27 15:03:55.000000000 +0100
-@@ -10,6 +10,7 @@
- /usr/libexec/dcc/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0)
- /usr/libexec/dcc/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0)
++++ serefpolicy-3.5.13/policy/modules/services/dcc.fc 2009-04-06 13:11:38.000000000 +0200
+@@ -12,6 +12,8 @@
-+/var/lib/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0)
/var/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0)
/var/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
++/var/lib/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0)
++/var/lib/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
+ /var/run/dcc(/.*)? gen_context(system_u:object_r:dcc_var_run_t,s0)
+ /var/run/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.if serefpolicy-3.5.13/policy/modules/services/dcc.if
--- nsaserefpolicy/policy/modules/services/dcc.if 2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/dcc.if 2009-02-10 15:07:15.000000000 +0100
@@ -18406,8 +18482,8 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.5.13/policy/modules/services/lircd.te
--- nsaserefpolicy/policy/modules/services/lircd.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.5.13/policy/modules/services/lircd.te 2009-04-03 15:23:05.000000000 +0200
-@@ -0,0 +1,60 @@
++++ serefpolicy-3.5.13/policy/modules/services/lircd.te 2009-04-07 09:19:24.000000000 +0200
+@@ -0,0 +1,64 @@
+policy_module(lircd,1.0.0)
+
+########################################
@@ -18440,6 +18516,7 @@
+#
+
+allow lircd_t self:process signal;
++allow lircd_t self:fifo_file rw_fifo_file_perms;
+allow lircd_t self:unix_dgram_socket create_socket_perms;
+
+# etc file
@@ -18454,6 +18531,9 @@
+manage_sock_files_pattern(lircd_t, lircd_sock_t, lircd_sock_t)
+dev_filetrans(lircd_t, lircd_sock_t, sock_file )
+
++dev_filetrans_lirc(lircd_t)
++dev_rw_lirc(lircd_t)
++
+files_read_etc_files(lircd_t)
+
+files_list_var(lircd_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/selinux-policy.spec,v
retrieving revision 1.786
retrieving revision 1.787
diff -u -r1.786 -r1.787
--- selinux-policy.spec 30 Mar 2009 14:56:27 -0000 1.786
+++ selinux-policy.spec 7 Apr 2009 12:15:39 -0000 1.787
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.5.13
-Release: 54%{?dist}
+Release: 55%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -460,6 +460,9 @@
%endif
%changelog
+* Tue Apr 7 2009 Miroslav Grepl <mgrepl at redhat.com> 3.5.13-55
+- Allow swat_t domtrans to smbd_t
+
* Mon Mar 30 2009 Miroslav Grepl <mgrepl at redhat.com> 3.5.13-54
- Allow bitlbee_t to read /proc/meminfo
- Fix lircd policy
- Previous message: rpms/imsettings/devel .cvsignore, 1.13, 1.14 imsettings.spec, 1.27, 1.28 sources, 1.12, 1.13 imsettings-xim-fixes.patch, 1.2, NONE
- Next message: rpms/konq-plugins/F-10 konq-plugins.spec, 1.13, 1.14 sources, 1.9, 1.10
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list