rpms/selinux-policy/devel policy-20090105.patch, 1.88, 1.89 selinux-policy.spec, 1.825, 1.826
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Apr 17 14:19:19 UTC 2009
- Previous message: rpms/selinux-policy/F-11 policy-20090105.patch, 1.88, 1.89 selinux-policy.spec, 1.826, 1.827
- Next message: rpms/planner/devel .cvsignore, 1.9, 1.10 planner.spec, 1.61, 1.62 sources, 1.9, 1.10 planner-0.12-desktop-fix.patch, 1.1, NONE planner-0.13-enableeds.patch, 1.5, NONE planner-0.13-gannt-bar-height.patch, 1.2, NONE planner-0.14.3-htmlimprovements.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv19378
Modified Files:
policy-20090105.patch selinux-policy.spec
Log Message:
policy-20090105.patch:
Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20090105.patch,v
retrieving revision 1.88
retrieving revision 1.89
diff -u -r1.88 -r1.89
--- policy-20090105.patch 16 Apr 2009 15:14:25 -0000 1.88
+++ policy-20090105.patch 17 Apr 2009 14:19:16 -0000 1.89
@@ -4661,8 +4661,17 @@
+corecmd_executable_file(wm_exec_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-03-05 10:34:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc 2009-04-07 16:01:44.000000000 -0400
-@@ -134,6 +134,8 @@
++++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc 2009-04-17 07:21:07.000000000 -0400
+@@ -32,6 +32,8 @@
+ #
+ # /etc
+ #
++/etc/acpi/actions(/.*)? gen_context(system_u:object_r:bin_t,s0)
++
+ /etc/apcupsd/apccontrol -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/apcupsd/changeme -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/apcupsd/commfailure -- gen_context(system_u:object_r:bin_t,s0)
+@@ -134,6 +136,8 @@
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -4671,7 +4680,7 @@
#
# /usr
#
-@@ -299,3 +301,14 @@
+@@ -299,3 +303,14 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -5607,7 +5616,7 @@
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.6.12/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2009-03-04 15:43:10.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/filesystem.te 2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/filesystem.te 2009-04-17 08:55:09.000000000 -0400
@@ -206,6 +206,10 @@
genfscon ntfs-3g / gen_context(system_u:object_r:dosfs_t,s0)
genfscon ntfs / gen_context(system_u:object_r:dosfs_t,s0)
@@ -5619,7 +5628,7 @@
type fusefs_t;
fs_noxattr_type(fusefs_t)
-@@ -244,8 +248,6 @@
+@@ -244,12 +248,12 @@
genfscon afs / gen_context(system_u:object_r:nfs_t,s0)
genfscon dazukofs / gen_context(system_u:object_r:nfs_t,s0)
genfscon coda / gen_context(system_u:object_r:nfs_t,s0)
@@ -5628,6 +5637,12 @@
genfscon lustre / gen_context(system_u:object_r:nfs_t,s0)
genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
+ genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
++genfscon xenfs / gen_context(system_u:object_r:nfs_t,s0)
++genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
+
+ ########################################
+ #
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.12/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-01-05 15:39:38.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/kernel/kernel.if 2009-04-13 08:28:24.000000000 -0400
@@ -21467,7 +21482,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.12/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te 2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te 2009-04-16 11:03:14.000000000 -0400
@@ -20,6 +20,35 @@
## </desc>
gen_tunable(spamd_enable_home_dirs, true)
@@ -21531,7 +21546,7 @@
sysnet_read_config(spamassassin_t)
')
-@@ -216,16 +253,31 @@
+@@ -216,16 +253,32 @@
allow spamc_t self:unix_stream_socket connectto;
allow spamc_t self:tcp_socket create_stream_socket_perms;
allow spamc_t self:udp_socket create_socket_perms;
@@ -21552,6 +21567,7 @@
+manage_fifo_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+userdom_user_home_dir_filetrans(spamc_t, spamc_home_t, { dir file lnk_file sock_file fifo_file })
++userdom_append_user_home_content_files(spamc_t)
+
# Allow connecting to a local spamd
allow spamc_t spamd_t:unix_stream_socket connectto;
@@ -21563,7 +21579,7 @@
corenet_all_recvfrom_unlabeled(spamc_t)
corenet_all_recvfrom_netlabel(spamc_t)
-@@ -255,9 +307,15 @@
+@@ -255,9 +308,15 @@
files_dontaudit_search_var(spamc_t)
# cjp: this may be removable:
files_list_home(spamc_t)
@@ -21579,7 +21595,7 @@
miscfiles_read_localization(spamc_t)
# cjp: this should probably be removed:
-@@ -265,31 +323,35 @@
+@@ -265,31 +324,35 @@
sysnet_read_config(spamc_t)
@@ -21627,7 +21643,7 @@
')
########################################
-@@ -301,7 +363,7 @@
+@@ -301,7 +364,7 @@
# setuids to the user running spamc. Comment this if you are not
# using this ability.
@@ -21636,7 +21652,7 @@
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
-@@ -317,10 +379,13 @@
+@@ -317,10 +380,13 @@
allow spamd_t self:unix_stream_socket connectto;
allow spamd_t self:tcp_socket create_stream_socket_perms;
allow spamd_t self:udp_socket create_socket_perms;
@@ -21651,7 +21667,7 @@
files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -329,10 +394,11 @@
+@@ -329,10 +395,11 @@
# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -21664,7 +21680,7 @@
files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
kernel_read_all_sysctls(spamd_t)
-@@ -382,22 +448,27 @@
+@@ -382,22 +449,27 @@
init_dontaudit_rw_utmp(spamd_t)
@@ -21696,7 +21712,7 @@
fs_manage_cifs_files(spamd_t)
')
-@@ -415,6 +486,7 @@
+@@ -415,6 +487,7 @@
optional_policy(`
dcc_domtrans_client(spamd_t)
@@ -21704,7 +21720,7 @@
dcc_stream_connect_dccifd(spamd_t)
')
-@@ -424,10 +496,6 @@
+@@ -424,10 +497,6 @@
')
optional_policy(`
@@ -21715,7 +21731,7 @@
postfix_read_config(spamd_t)
')
-@@ -442,6 +510,10 @@
+@@ -442,6 +511,10 @@
optional_policy(`
razor_domtrans(spamd_t)
@@ -25479,7 +25495,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.12/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-04-16 10:02:04.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-04-17 07:33:11.000000000 -0400
@@ -17,6 +17,20 @@
## </desc>
gen_tunable(init_upstart,false)
@@ -25741,7 +25757,18 @@
networkmanager_dbus_chat(initrc_t)
')
')
-@@ -647,6 +720,11 @@
+@@ -591,6 +664,10 @@
+ ')
+
+ optional_policy(`
++ hal_write_log(initrc_t)
++')
++
++optional_policy(`
+ dev_read_usbfs(initrc_t)
+
+ # init scripts run /etc/hotplug/usb.rc
+@@ -647,6 +724,11 @@
')
optional_policy(`
@@ -25753,7 +25780,7 @@
mailman_list_data(initrc_t)
mailman_read_data_symlinks(initrc_t)
')
-@@ -655,12 +733,6 @@
+@@ -655,12 +737,6 @@
mta_read_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@@ -25766,7 +25793,7 @@
optional_policy(`
ifdef(`distro_redhat',`
-@@ -721,6 +793,9 @@
+@@ -721,6 +797,9 @@
# why is this needed:
rpm_manage_db(initrc_t)
@@ -25776,7 +25803,7 @@
')
optional_policy(`
-@@ -733,10 +808,12 @@
+@@ -733,10 +812,12 @@
squid_manage_logs(initrc_t)
')
@@ -25789,7 +25816,7 @@
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -754,6 +831,11 @@
+@@ -754,6 +835,11 @@
uml_setattr_util_sockets(initrc_t)
')
@@ -25801,7 +25828,7 @@
optional_policy(`
unconfined_domain(initrc_t)
-@@ -761,6 +843,8 @@
+@@ -761,6 +847,8 @@
# system-config-services causes avc messages that should be dontaudited
unconfined_dontaudit_rw_pipes(daemon)
')
@@ -25810,7 +25837,7 @@
optional_policy(`
mono_domtrans(initrc_t)
-@@ -768,6 +852,10 @@
+@@ -768,6 +856,10 @@
')
optional_policy(`
@@ -25821,7 +25848,7 @@
vmware_read_system_config(initrc_t)
vmware_append_system_config(initrc_t)
')
-@@ -790,3 +878,25 @@
+@@ -790,3 +882,25 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -25937,7 +25964,7 @@
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.if serefpolicy-3.6.12/policy/modules/system/iscsi.if
--- nsaserefpolicy/policy/modules/system/iscsi.if 2008-08-07 11:15:12.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/system/iscsi.if 2009-04-09 10:18:10.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/iscsi.if 2009-04-17 07:27:34.000000000 -0400
@@ -17,3 +17,43 @@
domtrans_pattern($1,iscsid_exec_t,iscsid_t)
@@ -25975,11 +26002,11 @@
+#
+interface(`iscsi_stream_connect',`
+ gen_require(`
-+ type iscsi_t, iscsi_var_lib_t;
++ type iscsid_t, iscsi_var_lib_t;
+ ')
+
+ files_search_pids($1)
-+ stream_connect_pattern($1,iscsi_var_lib_t,iscsi_var_lib_t,iscsi_t)
++ stream_connect_pattern($1,iscsi_var_lib_t,iscsi_var_lib_t,iscsid_t)
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.12/policy/modules/system/iscsi.te
@@ -26004,7 +26031,7 @@
+miscfiles_read_localization(iscsid_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.12/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/libraries.fc 2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/libraries.fc 2009-04-16 13:27:53.000000000 -0400
@@ -60,12 +60,15 @@
#
# /opt
@@ -26101,10 +26128,11 @@
/usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/X11R6/lib/libOSMesa\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/X11R6/lib/libOSMesa\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/X11R6/lib/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libOSMesa\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libHermes\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/valgrind/hp2ps -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/valgrind/stage2 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -29107,7 +29135,7 @@
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-04-14 14:04:17.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-04-16 11:03:07.000000000 -0400
@@ -30,8 +30,9 @@
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.825
retrieving revision 1.826
diff -u -r1.825 -r1.826
--- selinux-policy.spec 16 Apr 2009 15:14:26 -0000 1.825
+++ selinux-policy.spec 17 Apr 2009 14:19:17 -0000 1.826
@@ -15,7 +15,7 @@
%endif
%define POLICYVER 23
%define libsepolver 2.0.20-1
-%define POLICYCOREUTILSVER 2.0.62-7
+%define POLICYCOREUTILSVER 2.0.62-10
%define CHECKPOLICYVER 2.0.16-3
Summary: SELinux policy configuration
Name: selinux-policy
@@ -50,7 +50,7 @@
BuildArch: noarch
BuildRequires: python gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-python >= %{POLICYCOREUTILSVER} bzip2
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} libsemanage >= 2.0.14-3
-Requires(post): /usr/bin/bunzip2 /bin/mktemp
+Requires(post): /usr/bin/bunzip2 /bin/mktemp /bin/awk
Requires: checkpolicy >= %{CHECKPOLICYVER} m4
Obsoletes: selinux-policy-devel
Provides: selinux-policy-devel
@@ -94,7 +94,7 @@
cp -f $RPM_SOURCE_DIR/booleans-%1.conf ./policy/booleans.conf \
%define moduleList() %([ -f %{_sourcedir}/modules-%{1}.conf ] && \
-awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp.bz2 ", $1 }' %{_sourcedir}/modules-%{1}.conf )
+awk '$1 !~ "/^#/" && $1 != "unconfined" && $1 != "unconfineduser" && $2 == "=" && $3 == "module" { printf "%%s.pp.bz2 ", $1 }' %{_sourcedir}/modules-%{1}.conf )
%define installCmds() \
make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 base.pp \
@@ -172,7 +172,7 @@
%define loadpolicy() \
( cd /usr/share/selinux/%1; \
-semodule -b base.pp.bz2 -i %{expand:%%moduleList %1} -s %1; \
+semodule -b base.pp.bz2 -i %{expand:%%moduleList %1} %2 -s %1; \
); \
%define relabel() \
@@ -311,12 +311,18 @@
%saveFileContext targeted
%post targeted
+set -x
if [ $1 -eq 1 ]; then
-%loadpolicy targeted
+%loadpolicy targeted "unconfined.pp.bz2 unconfineduser.pp.bz2"
restorecon -R /root /var/log /var/run 2> /dev/null
else
semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid 2>/dev/null
-%loadpolicy targeted unconfined.pp unconfineduser.pp
+
+packages=""
+for i in `semodule -l | awk '{print $1 }' | grep -E "(^unconfined$|^unconfineduser$)"`; do
+packages="$packages $i.pp.bz2"
+done
+%loadpolicy targeted $packages
%relabel targeted
fi
exit 0
@@ -440,8 +446,12 @@
%endif
%changelog
-* Tue Apr 14 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-6
+
+* Fri Apr 17 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-6
- Allow cupsd_t to create link files in print_spool_t
+- Fix iscsi_stream_connect typo
+- Fix labeling on /etc/acpi/actions
+- Don't reinstall unconfine and unconfineuser on upgrade if they are not installed
* Tue Apr 14 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-5
- Allow audioentroy to read etc files
- Previous message: rpms/selinux-policy/F-11 policy-20090105.patch, 1.88, 1.89 selinux-policy.spec, 1.826, 1.827
- Next message: rpms/planner/devel .cvsignore, 1.9, 1.10 planner.spec, 1.61, 1.62 sources, 1.9, 1.10 planner-0.12-desktop-fix.patch, 1.1, NONE planner-0.13-enableeds.patch, 1.5, NONE planner-0.13-gannt-bar-height.patch, 1.2, NONE planner-0.14.3-htmlimprovements.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list