rpms/selinux-policy/F-10 policy-20080710.patch, 1.158, 1.159 selinux-policy.spec, 1.786, 1.787

Miroslav Grepl mgrepl at fedoraproject.org
Tue Apr 7 12:15:40 UTC 2009 

Author: mgrepl

Update of /cvs/extras/rpms/selinux-policy/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv19566

Modified Files:
	policy-20080710.patch selinux-policy.spec 
Log Message:
- Add qemu_use_comm boolean



policy-20080710.patch:

Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/policy-20080710.patch,v
retrieving revision 1.158
retrieving revision 1.159
diff -u -r1.158 -r1.159
--- policy-20080710.patch	3 Apr 2009 13:33:31 -0000	1.158
+++ policy-20080710.patch	7 Apr 2009 12:15:38 -0000	1.159
@@ -5844,7 +5844,7 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.5.13/policy/modules/apps/qemu.te
 --- nsaserefpolicy/policy/modules/apps/qemu.te	2008-10-17 14:49:14.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/apps/qemu.te	2009-02-26 15:42:13.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/apps/qemu.te	2009-04-06 22:47:33.000000000 +0200
 @@ -6,6 +6,9 @@
  # Declarations
  #
@@ -5855,7 +5855,7 @@
  ## <desc>
  ## <p>
  ## Allow qemu to connect fully to the network
-@@ -13,16 +16,120 @@
+@@ -13,16 +16,128 @@
  ## </desc>
  gen_tunable(qemu_full_network, false)
  
@@ -5880,6 +5880,14 @@
 +## </desc>
 +gen_tunable(qemu_use_usb, true)
 +
++## <desc>
++## <p>
++## Allow qemu to user serial/parallell communication ports
++## </p>
++## </desc>
++gen_tunable(qemu_use_comm, false)
++
++
  type qemu_exec_t;
  qemu_domain_template(qemu)
  application_domain(qemu_t, qemu_exec_t)
@@ -5976,10 +5984,15 @@
  tunable_policy(`qemu_full_network',`
  	allow qemu_t self:udp_socket create_socket_perms;
  
-@@ -35,6 +142,38 @@
+@@ -35,6 +150,43 @@
  	corenet_tcp_connect_all_ports(qemu_t)
  ')
  
++tunable_policy(`qemu_use_comm',`
++        term_use_unallocated_ttys(qemu_t)
++        dev_rw_printer(qemu_t)
++')
++
 +tunable_policy(`qemu_use_cifs',`
 +	fs_manage_cifs_dirs(qemu_t)
 +	fs_manage_cifs_files(qemu_t)
@@ -7200,7 +7213,7 @@
  network_port(xfs, tcp,7100,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.5.13/policy/modules/kernel/devices.fc
 --- nsaserefpolicy/policy/modules/kernel/devices.fc	2008-10-17 14:49:14.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/kernel/devices.fc	2009-04-03 15:22:46.000000000 +0200
++++ serefpolicy-3.5.13/policy/modules/kernel/devices.fc	2009-04-07 09:18:47.000000000 +0200
 @@ -1,8 +1,9 @@
  
  /dev			-d	gen_context(system_u:object_r:device_t,s0)
@@ -7212,7 +7225,7 @@
  /dev/admmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
  /dev/adsp.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
  /dev/(misc/)?agpgart	-c	gen_context(system_u:object_r:agp_device_t,s0)
-@@ -12,44 +13,65 @@
+@@ -12,44 +13,66 @@
  /dev/apm_bios		-c	gen_context(system_u:object_r:apm_bios_t,s0)
  /dev/atibm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
  /dev/audio.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
@@ -7250,6 +7263,7 @@
 +/dev/kqemu		-c	gen_context(system_u:object_r:qemu_device_t,s0)
 +/dev/kvm		-c	gen_context(system_u:object_r:kvm_device_t,s0)
 +/dev/lik.*		-c	gen_context(system_u:object_r:event_device_t,s0)
++/dev/lirc[0-9]+         -c      gen_context(system_u:object_r:lirc_device_t,s0)
  /dev/lircm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
  /dev/logibm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
  /dev/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
@@ -7278,7 +7292,7 @@
  /dev/pmu		-c	gen_context(system_u:object_r:power_device_t,s0)
  /dev/port		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
  /dev/(misc/)?psaux	-c	gen_context(system_u:object_r:mouse_device_t,s0)
-@@ -68,18 +90,20 @@
+@@ -68,18 +91,20 @@
  /dev/sndstat		-c	gen_context(system_u:object_r:sound_device_t,s0)
  /dev/sonypi		-c	gen_context(system_u:object_r:v4l_device_t,s0)
  /dev/tlk[0-3]		-c	gen_context(system_u:object_r:v4l_device_t,s0)
@@ -7302,7 +7316,7 @@
  /dev/vttuner		-c	gen_context(system_u:object_r:v4l_device_t,s0)
  /dev/vtx.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
  /dev/watchdog		-c	gen_context(system_u:object_r:watchdog_device_t,s0)
-@@ -91,14 +115,20 @@
+@@ -91,14 +116,20 @@
  
  /dev/cmx.*		-c	gen_context(system_u:object_r:smartcard_device_t,s0)
  
@@ -7324,7 +7338,7 @@
  /dev/input/event.*	-c	gen_context(system_u:object_r:event_device_t,s0)
  /dev/input/mice		-c	gen_context(system_u:object_r:mouse_device_t,s0)
  /dev/input/js.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
-@@ -106,10 +136,15 @@
+@@ -106,10 +137,15 @@
  
  /dev/mapper/control	-c	gen_context(system_u:object_r:lvm_control_t,s0)
  
@@ -7342,7 +7356,7 @@
  /dev/usb/mdc800.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.5.13/policy/modules/kernel/devices.if
 --- nsaserefpolicy/policy/modules/kernel/devices.if	2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/kernel/devices.if	2009-04-03 10:50:33.000000000 +0200
++++ serefpolicy-3.5.13/policy/modules/kernel/devices.if	2009-04-06 22:35:09.000000000 +0200
 @@ -65,7 +65,7 @@
  
  	relabelfrom_dirs_pattern($1, device_t, device_node)
@@ -7535,7 +7549,7 @@
  ')
  
  ########################################
-@@ -1507,6 +1638,96 @@
+@@ -1507,6 +1638,151 @@
  
  ########################################
  ## <summary>
@@ -7627,12 +7641,67 @@
 +	rw_chr_files_pattern($1, device_t, kvm_device_t)
 +')
 +
++#######################################
++## <summary>
++##      Read the lirc device.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`dev_read_lirc',`
++        gen_require(`
++                type device_t, lirc_device_t;
++        ')
++
++        read_chr_files_pattern($1, device_t, lirc_device_t)
++')
++
++#######################################
++## <summary>
++##      Read and write the lirc device.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`dev_rw_lirc',`
++        gen_require(`
++                type device_t, lirc_device_t;
++        ')
++
++        rw_chr_files_pattern($1, device_t, lirc_device_t)
++')
++
++#######################################
++## <summary>
++##      Automatic type transition to the type
++##      for lirc device nodes when created in /dev.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`dev_filetrans_lirc',`
++        gen_require(`
++                type device_t, lirc_device_t;
++        ')
++
++        filetrans_pattern($1, device_t, lirc_device_t, chr_file)
++')
++
 +########################################
 +## <summary>
  ##	Read the lvm comtrol device.
  ## </summary>
  ## <param name="domain">
-@@ -1958,6 +2179,96 @@
+@@ -1958,6 +2234,96 @@
  
  ########################################
  ## <summary>
@@ -7729,7 +7798,7 @@
  ##	Read and write to the null device (/dev/null).
  ## </summary>
  ## <param name="domain">
-@@ -2104,6 +2415,98 @@
+@@ -2104,6 +2470,98 @@
  
  ########################################
  ## <summary>
@@ -7828,7 +7897,7 @@
  ##	Read from random number generator
  ##	devices (e.g., /dev/random)
  ## </summary>
-@@ -2142,6 +2545,25 @@
+@@ -2142,6 +2600,25 @@
  
  ########################################
  ## <summary>
@@ -7854,7 +7923,7 @@
  ##	Write to the random device (e.g., /dev/random). This adds
  ##	entropy used to generate the random data read from the
  ##	random device.
-@@ -2769,6 +3191,24 @@
+@@ -2769,6 +3246,24 @@
  
  ########################################
  ## <summary>
@@ -7879,7 +7948,7 @@
  ##	Read and write generic the USB devices.
  ## </summary>
  ## <param name="domain">
-@@ -2957,6 +3397,25 @@
+@@ -2957,6 +3452,25 @@
  	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
  ')
  
@@ -7905,7 +7974,7 @@
  ########################################
  ## <summary>
  ##	Get the attributes of video4linux devices.
-@@ -3322,3 +3781,22 @@
+@@ -3322,3 +3836,22 @@
  
  	typeattribute $1 devices_unconfined_type;
  ')
@@ -7930,7 +7999,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.5.13/policy/modules/kernel/devices.te
 --- nsaserefpolicy/policy/modules/kernel/devices.te	2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/kernel/devices.te	2009-04-03 10:51:23.000000000 +0200
++++ serefpolicy-3.5.13/policy/modules/kernel/devices.te	2009-04-07 00:12:12.000000000 +0200
 @@ -1,5 +1,5 @@
  
 -policy_module(devices, 1.7.0)
@@ -7951,7 +8020,7 @@
  type cardmgr_dev_t;
  dev_node(cardmgr_dev_t)
  files_tmp_file(cardmgr_dev_t)
-@@ -66,12 +72,25 @@
+@@ -66,12 +72,31 @@
  dev_node(framebuf_device_t)
  
  #
@@ -7974,10 +8043,16 @@
 +dev_node(kvm_device_t)
 +
 +#
++## Type for /dev/lirc
++##
++type lirc_device_t;
++dev_node(lirc_device_t)
++
++#
  # Type for /dev/mapper/control
  #
  type lvm_control_t;
-@@ -104,6 +123,12 @@
+@@ -104,6 +129,12 @@
  genfscon proc /mtrr gen_context(system_u:object_r:mtrr_device_t,s0)
  
  #
@@ -7990,7 +8065,7 @@
  # null_device_t is the type of /dev/null.
  #
  type null_device_t;
-@@ -128,6 +153,12 @@
+@@ -128,6 +159,12 @@
  mls_file_write_within_range(printer_device_t)
  
  #
@@ -8003,7 +8078,7 @@
  # random_device_t is the type of /dev/random
  #
  type random_device_t;
-@@ -157,6 +188,12 @@
+@@ -157,6 +194,12 @@
  genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
  
  #
@@ -16003,15 +16078,16 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.fc serefpolicy-3.5.13/policy/modules/services/dcc.fc
 --- nsaserefpolicy/policy/modules/services/dcc.fc	2008-10-17 14:49:11.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/dcc.fc	2009-03-27 15:03:55.000000000 +0100
-@@ -10,6 +10,7 @@
- /usr/libexec/dcc/dccifd		--	gen_context(system_u:object_r:dccifd_exec_t,s0)
- /usr/libexec/dcc/dccm		--	gen_context(system_u:object_r:dccm_exec_t,s0)
++++ serefpolicy-3.5.13/policy/modules/services/dcc.fc	2009-04-06 13:11:38.000000000 +0200
+@@ -12,6 +12,8 @@
  
-+/var/lib/dcc(/.*)?   			gen_context(system_u:object_r:dcc_var_t,s0)
  /var/dcc(/.*)?				gen_context(system_u:object_r:dcc_var_t,s0)
  /var/dcc/map			--	gen_context(system_u:object_r:dcc_client_map_t,s0)
++/var/lib/dcc(/.*)?   			gen_context(system_u:object_r:dcc_var_t,s0)
++/var/lib/dcc/map		--	gen_context(system_u:object_r:dcc_client_map_t,s0)
  
+ /var/run/dcc(/.*)?			gen_context(system_u:object_r:dcc_var_run_t,s0)
+ /var/run/dcc/map		--	gen_context(system_u:object_r:dcc_client_map_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.if serefpolicy-3.5.13/policy/modules/services/dcc.if
 --- nsaserefpolicy/policy/modules/services/dcc.if	2008-10-17 14:49:11.000000000 +0200
 +++ serefpolicy-3.5.13/policy/modules/services/dcc.if	2009-02-10 15:07:15.000000000 +0100
@@ -18406,8 +18482,8 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.5.13/policy/modules/services/lircd.te
 --- nsaserefpolicy/policy/modules/services/lircd.te	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.5.13/policy/modules/services/lircd.te	2009-04-03 15:23:05.000000000 +0200
-@@ -0,0 +1,60 @@
++++ serefpolicy-3.5.13/policy/modules/services/lircd.te	2009-04-07 09:19:24.000000000 +0200
+@@ -0,0 +1,64 @@
 +policy_module(lircd,1.0.0)
 +
 +########################################
@@ -18440,6 +18516,7 @@
 +#
 +
 +allow lircd_t self:process signal;
++allow lircd_t self:fifo_file rw_fifo_file_perms;
 +allow lircd_t self:unix_dgram_socket create_socket_perms;
 +
 +# etc file
@@ -18454,6 +18531,9 @@
 +manage_sock_files_pattern(lircd_t, lircd_sock_t, lircd_sock_t)
 +dev_filetrans(lircd_t, lircd_sock_t, sock_file )
 +
++dev_filetrans_lirc(lircd_t)
++dev_rw_lirc(lircd_t)
++
 +files_read_etc_files(lircd_t)
 +
 +files_list_var(lircd_t)


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/selinux-policy.spec,v
retrieving revision 1.786
retrieving revision 1.787
diff -u -r1.786 -r1.787
--- selinux-policy.spec	30 Mar 2009 14:56:27 -0000	1.786
+++ selinux-policy.spec	7 Apr 2009 12:15:39 -0000	1.787
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.5.13
-Release: 54%{?dist}
+Release: 55%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -460,6 +460,9 @@
 %endif
 
 %changelog
+* Tue Apr 7 2009 Miroslav Grepl <mgrepl at redhat.com> 3.5.13-55
+- Allow swat_t domtrans to smbd_t
+
 * Mon Mar 30 2009 Miroslav Grepl <mgrepl at redhat.com> 3.5.13-54
 - Allow bitlbee_t to read /proc/meminfo
 - Fix lircd policy

More information about the scm-commits mailing list