rpms/selinux-policy/F-11 policy-20090105.patch, 1.96, 1.97 selinux-policy.spec, 1.831, 1.832
Daniel J Walsh
dwalsh at fedoraproject.org
Tue Apr 21 20:11:29 UTC 2009
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv15821
Modified Files:
policy-20090105.patch selinux-policy.spec
Log Message:
* Tue Apr 21 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-11
- Allow nsplugin unix_read and write on users shm and sem
- Allow sysadm_t to execute su
policy-20090105.patch:
Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/policy-20090105.patch,v
retrieving revision 1.96
retrieving revision 1.97
diff -u -r1.96 -r1.97
--- policy-20090105.patch 21 Apr 2009 18:42:03 -0000 1.96
+++ policy-20090105.patch 21 Apr 2009 20:10:57 -0000 1.97
@@ -1524,7 +1524,7 @@
application_executable_file(sudo_exec_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.6.12/policy/modules/admin/su.if
--- nsaserefpolicy/policy/modules/admin/su.if 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/admin/su.if 2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/admin/su.if 2009-04-21 15:49:55.000000000 -0400
@@ -90,15 +90,6 @@
miscfiles_read_localization($1_su_t)
@@ -2777,8 +2777,8 @@
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.12/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.if 2009-04-07 16:01:44.000000000 -0400
-@@ -0,0 +1,272 @@
++++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.if 2009-04-21 15:54:32.000000000 -0400
+@@ -0,0 +1,274 @@
+
+## <summary>policy for nsplugin</summary>
+
@@ -2889,6 +2889,8 @@
+ dontaudit nsplugin_config_t $2:fifo_file rw_fifo_file_perms;
+ allow nsplugin_t $2:unix_stream_socket connectto;
+ dontaudit nsplugin_t $2:process ptrace;
++ allow nsplugin_t $2:sem { unix_read unix_write };
++ allow nsplugin_t $2:shm { unix_read unix_write };
+
+ allow $2 nsplugin_t:process { getattr ptrace signal_perms };
+ allow $2 nsplugin_t:unix_stream_socket connectto;
@@ -5079,7 +5081,7 @@
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.12/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/domain.te 2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/domain.te 2009-04-21 16:08:44.000000000 -0400
@@ -5,6 +5,13 @@
#
# Declarations
@@ -5150,7 +5152,7 @@
allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
-@@ -153,3 +172,43 @@
+@@ -153,3 +172,45 @@
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -5164,7 +5166,9 @@
+ cron_dontaudit_write_system_job_tmp_files(domain)
+ cron_rw_pipes(domain)
+ cron_rw_system_job_pipes(domain)
++
+ifdef(`hide_broken_symptoms',`
++ fs_list_inotifyfs(domain)
+ allow domain domain:key { link search };
+')
+')
@@ -6319,7 +6323,7 @@
## requiring the caller to use setexeccon().
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.12/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/roles/sysadm.te 2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/roles/sysadm.te 2009-04-21 15:50:14.000000000 -0400
@@ -15,7 +15,7 @@
role sysadm_r;
@@ -6367,15 +6371,16 @@
certwatch_run(sysadm_t, sysadm_r)
')
-@@ -127,18 +114,10 @@
+@@ -127,7 +114,7 @@
')
optional_policy(`
- cron_admin_role(sysadm_r, sysadm_t)
--')
--
--optional_policy(`
- cvs_exec(sysadm_t)
++ su_exec(sysadm_t)
+ ')
+
+ optional_policy(`
+@@ -135,10 +122,6 @@
')
optional_policy(`
@@ -6386,7 +6391,7 @@
dcc_run_cdcc(sysadm_t, sysadm_r)
dcc_run_client(sysadm_t, sysadm_r)
dcc_run_dbclean(sysadm_t, sysadm_r)
-@@ -166,10 +145,6 @@
+@@ -166,10 +149,6 @@
')
optional_policy(`
@@ -6397,7 +6402,7 @@
firstboot_run(sysadm_t, sysadm_r)
')
-@@ -178,22 +153,6 @@
+@@ -178,22 +157,6 @@
')
optional_policy(`
@@ -6420,7 +6425,7 @@
hostname_run(sysadm_t, sysadm_r)
')
-@@ -212,11 +171,7 @@
+@@ -212,11 +175,7 @@
')
optional_policy(`
@@ -6433,7 +6438,7 @@
')
optional_policy(`
-@@ -228,10 +183,6 @@
+@@ -228,10 +187,6 @@
')
optional_policy(`
@@ -6444,7 +6449,7 @@
logrotate_run(sysadm_t, sysadm_r)
')
-@@ -255,14 +206,6 @@
+@@ -255,14 +210,6 @@
')
optional_policy(`
@@ -6459,7 +6464,7 @@
mta_role(sysadm_r, sysadm_t)
')
-@@ -290,11 +233,6 @@
+@@ -290,11 +237,6 @@
')
optional_policy(`
@@ -6471,7 +6476,7 @@
pcmcia_run_cardctl(sysadm_t, sysadm_r)
')
-@@ -308,10 +246,6 @@
+@@ -308,10 +250,6 @@
')
optional_policy(`
@@ -6482,7 +6487,7 @@
quota_run(sysadm_t, sysadm_r)
')
-@@ -320,22 +254,10 @@
+@@ -320,22 +258,10 @@
')
optional_policy(`
@@ -6505,7 +6510,7 @@
rsync_exec(sysadm_t)
')
-@@ -345,10 +267,6 @@
+@@ -345,10 +271,6 @@
')
optional_policy(`
@@ -6516,7 +6521,7 @@
secadm_role_change(sysadm_r)
')
-@@ -358,35 +276,15 @@
+@@ -358,35 +280,15 @@
')
optional_policy(`
@@ -6552,7 +6557,7 @@
tripwire_run_siggen(sysadm_t, sysadm_r)
tripwire_run_tripwire(sysadm_t, sysadm_r)
tripwire_run_twadmin(sysadm_t, sysadm_r)
-@@ -394,18 +292,10 @@
+@@ -394,18 +296,10 @@
')
optional_policy(`
@@ -6571,7 +6576,7 @@
unconfined_domtrans(sysadm_t)
')
-@@ -418,20 +308,12 @@
+@@ -418,20 +312,12 @@
')
optional_policy(`
@@ -6592,7 +6597,7 @@
vpn_run(sysadm_t, sysadm_r)
')
-@@ -440,13 +322,5 @@
+@@ -440,13 +326,5 @@
')
optional_policy(`
@@ -10688,7 +10693,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.12/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/cron.te 2009-04-21 09:44:30.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/cron.te 2009-04-21 16:03:54.000000000 -0400
@@ -38,6 +38,10 @@
type cron_var_lib_t;
files_type(cron_var_lib_t)
@@ -10919,7 +10924,15 @@
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
-@@ -370,7 +434,8 @@
+@@ -345,6 +409,7 @@
+ fs_getattr_all_symlinks(system_cronjob_t)
+ fs_getattr_all_pipes(system_cronjob_t)
+ fs_getattr_all_sockets(system_cronjob_t)
++fs_list_inotifyfs(system_cronjob_t)
+
+ # quiet other ps operations
+ domain_dontaudit_read_all_domains_state(system_cronjob_t)
+@@ -370,7 +435,8 @@
init_read_utmp(system_cronjob_t)
init_dontaudit_rw_utmp(system_cronjob_t)
# prelink tells init to restart it self, we either need to allow or dontaudit
@@ -10929,7 +10942,7 @@
auth_use_nsswitch(system_cronjob_t)
-@@ -378,6 +443,7 @@
+@@ -378,6 +444,7 @@
libs_exec_ld_so(system_cronjob_t)
logging_read_generic_logs(system_cronjob_t)
@@ -10937,7 +10950,7 @@
logging_send_syslog_msg(system_cronjob_t)
miscfiles_read_localization(system_cronjob_t)
-@@ -418,6 +484,10 @@
+@@ -418,6 +485,10 @@
')
optional_policy(`
@@ -10948,7 +10961,7 @@
ftp_read_log(system_cronjob_t)
')
-@@ -428,11 +498,20 @@
+@@ -428,11 +499,20 @@
')
optional_policy(`
@@ -10969,7 +10982,7 @@
')
optional_policy(`
-@@ -447,6 +526,7 @@
+@@ -447,6 +527,7 @@
prelink_read_cache(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_delete_cache(system_cronjob_t)
@@ -10977,7 +10990,7 @@
')
optional_policy(`
-@@ -460,8 +540,7 @@
+@@ -460,8 +541,7 @@
')
optional_policy(`
@@ -10987,7 +11000,7 @@
')
optional_policy(`
-@@ -469,24 +548,17 @@
+@@ -469,24 +549,17 @@
')
optional_policy(`
@@ -11015,7 +11028,7 @@
allow cronjob_t self:process { signal_perms setsched };
allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
-@@ -570,6 +642,9 @@
+@@ -570,6 +643,9 @@
userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
@@ -19942,7 +19955,7 @@
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.12/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2009-03-20 12:39:39.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/services/rpc.te 2009-04-21 13:16:52.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/rpc.te 2009-04-21 15:17:25.000000000 -0400
@@ -23,7 +23,7 @@
gen_tunable(allow_nfsd_anon_write, false)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/selinux-policy.spec,v
retrieving revision 1.831
retrieving revision 1.832
diff -u -r1.831 -r1.832
--- selinux-policy.spec 21 Apr 2009 18:19:34 -0000 1.831
+++ selinux-policy.spec 21 Apr 2009 20:10:58 -0000 1.832
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.12
-Release: 10%{?dist}
+Release: 11%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -446,7 +446,12 @@
%endif
%changelog
+* Tue Apr 21 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-11
+- Allow nsplugin unix_read and write on users shm and sem
+- Allow sysadm_t to execute su
+
* Tue Apr 21 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-10
+- Dontaudit attempts to getattr user_tmpfs_t by lvm
- Allow nfs to share removable media
* Mon Apr 20 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-9
More information about the scm-commits
mailing list