rpms/selinux-policy/F-10 policy-20080710.patch,1.163,1.164
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Apr 23 15:44:07 UTC 2009
Author: mgrepl
Update of /cvs/extras/rpms/selinux-policy/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv5699
Modified Files:
policy-20080710.patch
Log Message:
- Allow nfs to share removable media
policy-20080710.patch:
Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/policy-20080710.patch,v
retrieving revision 1.163
retrieving revision 1.164
diff -u -r1.163 -r1.164
--- policy-20080710.patch 16 Apr 2009 09:49:20 -0000 1.163
+++ policy-20080710.patch 23 Apr 2009 15:43:34 -0000 1.164
@@ -18576,8 +18576,8 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.5.13/policy/modules/services/lircd.te
--- nsaserefpolicy/policy/modules/services/lircd.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.5.13/policy/modules/services/lircd.te 2009-04-07 09:19:24.000000000 +0200
-@@ -0,0 +1,64 @@
++++ serefpolicy-3.5.13/policy/modules/services/lircd.te 2009-04-17 10:05:39.000000000 +0200
+@@ -0,0 +1,69 @@
+policy_module(lircd,1.0.0)
+
+########################################
@@ -18628,6 +18628,8 @@
+dev_filetrans_lirc(lircd_t)
+dev_rw_lirc(lircd_t)
+
++dev_read_generic_usb_dev(lircd_t)
++
+files_read_etc_files(lircd_t)
+
+files_list_var(lircd_t)
@@ -18638,6 +18640,9 @@
+
+libs_use_ld_so(lircd_t)
+libs_use_shared_libs(lircd_t)
++
++fs_list_inotifyfs(lircd_t)
++
+miscfiles_read_localization(lircd_t)
+
+permissive lircd_t;
@@ -26030,8 +26035,17 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.5.13/policy/modules/services/rpcbind.te
--- nsaserefpolicy/policy/modules/services/rpcbind.te 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/rpcbind.te 2009-02-10 15:07:15.000000000 +0100
-@@ -60,6 +60,7 @@
++++ serefpolicy-3.5.13/policy/modules/services/rpcbind.te 2009-04-23 09:19:32.000000000 +0200
+@@ -31,6 +31,8 @@
+ allow rpcbind_t self:udp_socket create_socket_perms;
+ allow rpcbind_t self:tcp_socket create_stream_socket_perms;
+
++fs_list_inotifyfs(rpcbind_t)
++
+ manage_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t)
+ manage_sock_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t)
+ files_pid_filetrans(rpcbind_t, rpcbind_var_run_t, { file sock_file })
+@@ -60,6 +62,7 @@
domain_use_interactive_fds(rpcbind_t)
files_read_etc_files(rpcbind_t)
@@ -26117,7 +26131,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.5.13/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2008-10-17 14:49:11.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/rpc.te 2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/rpc.te 2009-04-23 09:19:05.000000000 +0200
@@ -23,7 +23,7 @@
gen_tunable(allow_nfsd_anon_write, false)
@@ -26127,7 +26141,7 @@
rpc_domain_template(gssd)
-@@ -68,6 +68,7 @@
+@@ -68,11 +68,13 @@
# for rpc.rquotad
kernel_read_sysctl(rpcd_t)
kernel_rw_fs_sysctls(rpcd_t)
@@ -26135,7 +26149,13 @@
corecmd_exec_bin(rpcd_t)
-@@ -101,6 +102,7 @@
+ files_manage_mounttab(rpcd_t)
+
++fs_list_inotifyfs(rpcd_t)
+ fs_list_rpc(rpcd_t)
+ fs_read_rpc_files(rpcd_t)
+ fs_read_rpc_symlinks(rpcd_t)
+@@ -101,6 +103,7 @@
# for /proc/fs/nfs/exports - should we have a new type?
kernel_read_system_state(nfsd_t)
kernel_read_network_state(nfsd_t)
@@ -26143,7 +26163,23 @@
corenet_tcp_bind_all_rpc_ports(nfsd_t)
corenet_udp_bind_all_rpc_ports(nfsd_t)
-@@ -133,13 +135,22 @@
+@@ -116,6 +119,7 @@
+ # cjp: this should really have its own type
+ files_manage_mounttab(rpcd_t)
+
++fs_list_inotifyfs(nfsd_t)
+ fs_mount_nfsd_fs(nfsd_t)
+ fs_search_nfsd_fs(nfsd_t)
+ fs_getattr_all_fs(nfsd_t)
+@@ -123,6 +127,7 @@
+ fs_rw_nfsd_fs(nfsd_t)
+
+ storage_dontaudit_read_fixed_disk(nfsd_t)
++storage_raw_read_removable_device(nfsd_t)
+
+ # Read access to public_content_t and public_content_rw_t
+ miscfiles_read_public_files(nfsd_t)
+@@ -133,13 +138,22 @@
')
tunable_policy(`nfs_export_all_rw',`
@@ -26167,7 +26203,15 @@
')
########################################
-@@ -170,9 +181,14 @@
+@@ -162,6 +176,7 @@
+
+ corecmd_exec_bin(gssd_t)
+
++fs_list_inotifyfs(gssd_t)
+ fs_list_rpc(gssd_t)
+ fs_read_rpc_sockets(gssd_t)
+ fs_read_rpc_files(gssd_t)
+@@ -170,9 +185,14 @@
files_read_usr_symlinks(gssd_t)
auth_use_nsswitch(gssd_t)
@@ -26182,7 +26226,7 @@
tunable_policy(`allow_gssd_read_tmp',`
userdom_list_unpriv_users_tmp(gssd_t)
userdom_read_unpriv_users_tmp_files(gssd_t)
-@@ -180,8 +196,7 @@
+@@ -180,8 +200,7 @@
')
optional_policy(`
@@ -29023,7 +29067,7 @@
/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.5.13/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2008-10-17 14:49:11.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/ssh.if 2009-03-20 09:28:24.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/ssh.if 2009-04-23 09:21:24.000000000 +0200
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
@@ -29243,7 +29287,15 @@
allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
term_create_pty($1_t,$1_devpts_t)
-@@ -478,7 +484,12 @@
+@@ -462,6 +468,7 @@
+ # Access key files
+ allow $1_t sshd_key_t:file { getattr read };
+
++ kernel_read_network_state($1_t)
+ kernel_read_kernel_sysctls($1_t)
+
+ corenet_all_recvfrom_unlabeled($1_t)
+@@ -478,7 +485,12 @@
corenet_udp_bind_all_nodes($1_t)
corenet_tcp_bind_ssh_port($1_t)
corenet_tcp_connect_all_ports($1_t)
@@ -29256,7 +29308,7 @@
fs_dontaudit_getattr_all_fs($1_t)
-@@ -495,6 +506,8 @@
+@@ -495,6 +507,8 @@
files_read_etc_files($1_t)
files_read_etc_runtime_files($1_t)
@@ -29265,7 +29317,7 @@
libs_use_ld_so($1_t)
libs_use_shared_libs($1_t)
-@@ -506,9 +519,14 @@
+@@ -506,9 +520,14 @@
userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t)
userdom_search_all_users_home_dirs($1_t)
@@ -29280,7 +29332,7 @@
')
tunable_policy(`use_samba_home_dirs',`
-@@ -517,11 +535,7 @@
+@@ -517,11 +536,7 @@
optional_policy(`
kerberos_use($1_t)
@@ -29293,7 +29345,7 @@
')
optional_policy(`
-@@ -605,6 +619,25 @@
+@@ -605,6 +620,25 @@
allow $1 sshd_t:tcp_socket rw_stream_socket_perms;
')
@@ -29319,7 +29371,7 @@
########################################
## <summary>
## Do not audit attempts to read and write
-@@ -710,3 +743,22 @@
+@@ -710,3 +744,22 @@
dontaudit $1 sshd_key_t:file { getattr read };
')
More information about the scm-commits
mailing list