rpms/selinux-policy/F-11 policy-20090521.patch, 1.39, 1.40 selinux-policy.spec, 1.894, 1.895
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Aug 5 21:49:50 UTC 2009
- Previous message: rpms/vacation/F-11 import.log, NONE, 1.1 license-clarification, NONE, 1.1 vacation.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Next message: rpms/vacation/F-10 import.log, NONE, 1.1 license-clarification, NONE, 1.1 vacation.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: mgrepl
Update of /cvs/extras/rpms/selinux-policy/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv12138
Modified Files:
policy-20090521.patch selinux-policy.spec
Log Message:
- Allow svirt images to create sock_file in svirt_var_run_t
policy-20090521.patch:
mcs | 12 -
modules/admin/certwatch.te | 4
modules/admin/kismet.te | 16 ++
modules/admin/logrotate.te | 6
modules/admin/mrtg.te | 4
modules/admin/prelink.te | 9 -
modules/admin/readahead.te | 2
modules/admin/rpm.if | 18 ++
modules/admin/rpm.te | 4
modules/admin/shorewall.fc | 12 +
modules/admin/shorewall.if | 166 ++++++++++++++++++++++
modules/admin/shorewall.te | 103 +++++++++++++
modules/admin/sudo.if | 4
modules/admin/usermanage.te | 1
modules/apps/calamaris.te | 4
modules/apps/gitosis.fc | 4
modules/apps/gitosis.if | 96 ++++++++++++
modules/apps/gitosis.te | 43 +++++
modules/apps/mozilla.if | 16 ++
modules/apps/mozilla.te | 14 +
modules/apps/nsplugin.if | 2
modules/apps/qemu.fc | 1
modules/apps/qemu.te | 5
modules/apps/sandbox.if | 134 +++++++++++++-----
modules/apps/sandbox.te | 274 ++++++++++++++++++++++++++++++++++---
modules/apps/screen.if | 1
modules/apps/vmware.fc | 1
modules/apps/vmware.te | 6
modules/kernel/corecommands.fc | 9 +
modules/kernel/corenetwork.te.in | 4
modules/kernel/devices.fc | 2
modules/kernel/devices.if | 145 +++++++++++++++++++
modules/kernel/devices.te | 13 +
modules/kernel/domain.if | 45 ++----
modules/kernel/domain.te | 30 +++-
modules/kernel/files.if | 3
modules/kernel/kernel.if | 2
modules/kernel/terminal.if | 19 ++
modules/roles/staff.te | 12 +
modules/roles/sysadm.if | 35 ++++
modules/roles/sysadm.te | 4
modules/roles/unconfineduser.te | 9 -
modules/roles/unprivuser.te | 4
modules/roles/xguest.te | 6
modules/services/apache.fc | 4
modules/services/automount.if | 18 ++
modules/services/avahi.te | 2
modules/services/bluetooth.te | 1
modules/services/clamav.te | 4
modules/services/consolekit.te | 3
modules/services/cron.if | 19 --
modules/services/cron.te | 2
modules/services/cups.te | 3
modules/services/dbus.if | 4
modules/services/dcc.te | 8 -
modules/services/ddclient.if | 25 +++
modules/services/devicekit.te | 6
modules/services/dnsmasq.te | 4
modules/services/dovecot.if | 34 ++--
modules/services/dovecot.te | 20 +-
modules/services/exim.te | 6
modules/services/fetchmail.te | 2
modules/services/fprintd.te | 8 -
modules/services/ftp.te | 7
modules/services/gnomeclock.te | 1
modules/services/gpsd.fc | 3
modules/services/gpsd.te | 17 ++
modules/services/hal.te | 14 +
modules/services/kerberos.if | 2
modules/services/kerberos.te | 12 +
modules/services/lircd.te | 4
modules/services/mailman.if | 1
modules/services/mta.if | 1
modules/services/mysql.te | 6
modules/services/nis.te | 3
modules/services/nslcd.fc | 4
modules/services/nslcd.if | 145 +++++++++++++++++++
modules/services/nslcd.te | 50 ++++++
modules/services/openvpn.te | 1
modules/services/pcscd.te | 3
modules/services/polkit.fc | 2
modules/services/polkit.if | 2
modules/services/polkit.te | 1
modules/services/postfix.if | 26 +++
modules/services/postfix.te | 26 ---
modules/services/postgresql.te | 2
modules/services/ppp.if | 6
modules/services/privoxy.te | 3
modules/services/pyzor.fc | 2
modules/services/pyzor.te | 2
modules/services/rpc.te | 12 +
modules/services/rsync.te | 2
modules/services/sendmail.if | 39 +++++
modules/services/sendmail.te | 7
modules/services/setroubleshoot.te | 5
modules/services/shorewall.fc | 12 -
modules/services/shorewall.if | 166 ----------------------
modules/services/shorewall.te | 102 -------------
modules/services/spamassassin.fc | 4
modules/services/spamassassin.te | 1
modules/services/ssh.if | 23 ++-
modules/services/ssh.te | 4
modules/services/uucp.te | 2
modules/services/virt.te | 29 ++-
modules/services/xserver.fc | 2
modules/services/xserver.if | 41 +++++
modules/services/xserver.te | 11 +
modules/system/authlogin.fc | 3
modules/system/authlogin.if | 223 ++++++++++++++++--------------
modules/system/authlogin.te | 27 +--
modules/system/init.fc | 2
modules/system/init.te | 2
modules/system/ipsec.te | 34 ++--
modules/system/iptables.te | 4
modules/system/iscsi.te | 1
modules/system/libraries.fc | 11 +
modules/system/locallogin.te | 6
modules/system/miscfiles.fc | 1
modules/system/sysnetwork.te | 17 +-
modules/system/udev.fc | 1
modules/system/udev.te | 6
modules/system/userdomain.if | 28 ++-
modules/system/virtual.te | 5
modules/system/xen.te | 1
124 files changed, 2022 insertions(+), 635 deletions(-)
Index: policy-20090521.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/policy-20090521.patch,v
retrieving revision 1.39
retrieving revision 1.40
diff -u -p -r1.39 -r1.40
--- policy-20090521.patch 4 Aug 2009 11:25:19 -0000 1.39
+++ policy-20090521.patch 5 Aug 2009 21:49:50 -0000 1.40
@@ -167,7 +167,7 @@ diff -b -B --ignore-all-space --exclude-
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.12/policy/modules/admin/readahead.te
--- nsaserefpolicy/policy/modules/admin/readahead.te 2009-06-25 10:19:43.000000000 +0200
-+++ serefpolicy-3.6.12/policy/modules/admin/readahead.te 2009-07-13 11:23:45.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/admin/readahead.te 2009-08-05 21:59:03.000000000 +0200
@@ -50,11 +50,13 @@
domain_use_interactive_fds(readahead_t)
domain_read_all_domains_state(readahead_t)
@@ -517,6 +517,20 @@ diff -b -B --ignore-all-space --exclude-
+
+permissive shorewall_t;
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.12/policy/modules/admin/sudo.if
+--- nsaserefpolicy/policy/modules/admin/sudo.if 2009-06-25 10:19:43.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/admin/sudo.if 2009-08-05 23:24:01.000000000 +0200
+@@ -152,6 +152,10 @@
+ optional_policy(`
+ dbus_system_bus_client($1_sudo_t)
+ ')
++
++ optional_policy(`
++ fprintd_dbus_chat($1_sudo_t)
++ ')
+ ')
+
+ ########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.12/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/admin/usermanage.te 2009-06-25 10:21:01.000000000 +0200
@@ -528,6 +542,19 @@ diff -b -B --ignore-all-space --exclude-
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(groupadd_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/calamaris.te serefpolicy-3.6.12/policy/modules/apps/calamaris.te
+--- nsaserefpolicy/policy/modules/apps/calamaris.te 2009-04-07 21:54:49.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/apps/calamaris.te 2009-08-05 23:27:19.000000000 +0200
+@@ -82,5 +82,9 @@
+ ')
+
+ optional_policy(`
++ nscd_socket_use(calamaris_t)
++')
++
++optional_policy(`
+ nis_use_ypbind(calamaris_t)
+ ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.fc serefpolicy-3.6.12/policy/modules/apps/gitosis.fc
--- nsaserefpolicy/policy/modules/apps/gitosis.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/apps/gitosis.fc 2009-06-25 10:21:01.000000000 +0200
@@ -1291,6 +1318,17 @@ diff -b -B --ignore-all-space --exclude-
+optional_policy(`
+ hal_dbus_chat(sandbox_net_client_t)
+')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.12/policy/modules/apps/screen.if
+--- nsaserefpolicy/policy/modules/apps/screen.if 2009-06-25 10:19:43.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/apps/screen.if 2009-08-05 23:21:33.000000000 +0200
+@@ -62,6 +62,7 @@
+ manage_dirs_pattern($1_screen_t, screen_dir_t, screen_dir_t)
+ filetrans_pattern($1_screen_t, screen_dir_t, screen_var_run_t, fifo_file)
+ files_pid_filetrans($1_screen_t, screen_dir_t, dir)
++ dontaudit $3 screen_var_run_t:fifo_file read;
+
+ allow $1_screen_t screen_home_t:dir list_dir_perms;
+ read_files_pattern($1_screen_t, screen_home_t, screen_home_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.6.12/policy/modules/apps/vmware.fc
--- nsaserefpolicy/policy/modules/apps/vmware.fc 2009-04-07 21:54:49.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/vmware.fc 2009-06-25 10:21:01.000000000 +0200
@@ -1795,7 +1833,7 @@ diff -b -B --ignore-all-space --exclude-
## Read and write the controlling
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.12/policy/modules/roles/staff.te
--- nsaserefpolicy/policy/modules/roles/staff.te 2009-06-25 10:19:44.000000000 +0200
-+++ serefpolicy-3.6.12/policy/modules/roles/staff.te 2009-06-25 10:21:01.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/roles/staff.te 2009-08-05 21:52:27.000000000 +0200
@@ -44,6 +44,10 @@
')
@@ -1807,7 +1845,18 @@ diff -b -B --ignore-all-space --exclude-
secadm_role_change(staff_r)
')
-@@ -95,6 +99,10 @@
+@@ -87,6 +91,10 @@
+ ')
+
+ optional_policy(`
++ lpd_list_spool(staff_t)
++')
++
++optional_policy(`
+ kerneloops_dbus_chat(staff_t)
+ ')
+
+@@ -95,6 +103,10 @@
')
optional_policy(`
@@ -2128,6 +2177,20 @@ diff -b -B --ignore-all-space --exclude-
userdom_home_filetrans_user_home_dir(cups_pdf_t)
userdom_manage_user_home_content_dirs(cups_pdf_t)
userdom_manage_user_home_content_files(cups_pdf_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.12/policy/modules/services/dbus.if
+--- nsaserefpolicy/policy/modules/services/dbus.if 2009-06-25 10:19:44.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/services/dbus.if 2009-08-05 21:48:06.000000000 +0200
+@@ -176,6 +176,10 @@
+ xserver_use_xdm_fds($1_dbusd_t)
+ xserver_rw_xdm_pipes($1_dbusd_t)
+ ')
++
++ optional_policy(`
++ xserver_use_xdm($1_dbusd_t)
++ ')
+ ')
+
+ ########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.12/policy/modules/services/dcc.te
--- nsaserefpolicy/policy/modules/services/dcc.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/dcc.te 2009-06-25 10:21:01.000000000 +0200
@@ -3776,7 +3839,7 @@ diff -b -B --ignore-all-space --exclude-
logging_send_syslog_msg(uucpd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-06-25 10:19:44.000000000 +0200
-+++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-08-04 09:35:17.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-08-05 20:44:32.000000000 +0200
@@ -22,6 +22,13 @@
## <desc>
@@ -3820,9 +3883,11 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
brctl_domtrans(virtd_t)
')
-@@ -306,7 +321,9 @@
+@@ -305,8 +320,11 @@
+ manage_dirs_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t)
manage_files_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t)
manage_lnk_files_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t)
++manage_sock_files_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t)
files_pid_filetrans(svirt_t, svirt_var_run_t, { dir file })
+stream_connect_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t, virtd_t)
@@ -3830,7 +3895,7 @@ diff -b -B --ignore-all-space --exclude-
allow svirt_t svirt_image_t:dir search_dir_perms;
manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t)
manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t)
-@@ -316,16 +333,17 @@
+@@ -316,16 +334,17 @@
dontaudit svirt_t virt_content_t:file write_file_perms;
dontaudit svirt_t virt_content_t:dir write;
@@ -3851,7 +3916,7 @@ diff -b -B --ignore-all-space --exclude-
corenet_udp_sendrecv_generic_if(svirt_t)
corenet_udp_sendrecv_generic_node(svirt_t)
corenet_udp_sendrecv_all_ports(svirt_t)
-@@ -353,10 +371,6 @@
+@@ -353,10 +372,6 @@
')
optional_policy(`
@@ -3883,8 +3948,45 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.12/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-06-25 10:19:44.000000000 +0200
-+++ serefpolicy-3.6.12/policy/modules/services/xserver.if 2009-06-25 10:21:01.000000000 +0200
-@@ -861,6 +861,24 @@
++++ serefpolicy-3.6.12/policy/modules/services/xserver.if 2009-08-05 23:23:17.000000000 +0200
+@@ -599,9 +599,10 @@
+ #
+ interface(`xserver_use_xdm_fds',`
+ gen_require(`
+- type xdm_t;
++ type xdm_t, xdm_home_t;
+ ')
+
++ allow $1 xdm_home_t:file append_file_perms;
+ allow $1 xdm_t:fd use;
+ ')
+
+@@ -779,6 +780,24 @@
+ manage_files_pattern($1, xdm_var_run_t, xdm_var_run_t)
+ ')
+
++#######################################
++## <summary>
++## Search XDM var lib dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xserver_search_xdm_lib',`
++ gen_require(`
++ type xdm_var_lib_t;
++ ')
++
++ allow $1 xdm_var_lib_t:dir search_dir_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Read XDM var lib files.
+@@ -861,6 +880,24 @@
########################################
## <summary>
@@ -3909,8 +4011,11 @@ diff -b -B --ignore-all-space --exclude-
## Execute an X session in the target domain. This
## is an explicit transition, requiring the
## caller to use setexeccon().
-@@ -1411,6 +1429,7 @@
+@@ -1409,8 +1446,10 @@
+ # Allow connections to X server.
+ xserver_stream_connect_xdm($1)
xserver_read_xdm_tmp_files($1)
++ xserver_search_xdm_lib($1)
xserver_xdm_stream_connect($1)
xserver_setattr_xdm_tmp_dirs($1)
+ xserver_read_xdm_pid($1)
@@ -4751,7 +4856,7 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-06-25 10:19:44.000000000 +0200
-+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-07-31 09:32:45.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-08-05 23:25:40.000000000 +0200
@@ -627,12 +627,6 @@
')
@@ -4765,7 +4870,7 @@ diff -b -B --ignore-all-space --exclude-
evolution_dbus_chat($1_usertype)
evolution_alarm_dbus_chat($1_usertype)
')
-@@ -968,6 +962,16 @@
+@@ -968,6 +962,21 @@
')
optional_policy(`
@@ -4775,6 +4880,11 @@ diff -b -B --ignore-all-space --exclude-
+ ')
+
+ optional_policy(`
++ fprintd_dbus_chat($1_t)
++ ')
++
++
++ optional_policy(`
+ gnomeclock_dbus_chat($1_usertype)
+ ')
+
@@ -4782,7 +4892,7 @@ diff -b -B --ignore-all-space --exclude-
gnome_manage_config($1_usertype)
gnome_manage_gconf_home_files($1_usertype)
gnome_read_gconf_config($1_usertype)
-@@ -1457,6 +1461,7 @@
+@@ -1457,6 +1466,7 @@
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -4790,7 +4900,7 @@ diff -b -B --ignore-all-space --exclude-
files_search_home($1)
')
-@@ -1880,7 +1885,7 @@
+@@ -1880,7 +1890,7 @@
type user_home_t;
')
@@ -4799,7 +4909,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -3317,10 +3322,6 @@
+@@ -3317,10 +3327,6 @@
seutil_run_newrole($1_t, $1_r)
optional_policy(`
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/selinux-policy.spec,v
retrieving revision 1.894
retrieving revision 1.895
diff -u -p -r1.894 -r1.895
--- selinux-policy.spec 4 Aug 2009 09:38:12 -0000 1.894
+++ selinux-policy.spec 5 Aug 2009 21:49:50 -0000 1.895
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.12
-Release: 73%{?dist}
+Release: 74%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -475,6 +475,9 @@ exit 0
%endif
%changelog
+* Wed Aug 5 2009 Miroslav Grepl <mgrepl at redhat.com> 3.6.12-74
+- Allow svirt images to create sock_file in svirt_var_run_t
+
* Tue Aug 4 2009 Miroslav Grepl <mgrepl at redhat.com> 3.6.12-73
- Allow svirt_t to stream_connect to virtd_t
- Previous message: rpms/vacation/F-11 import.log, NONE, 1.1 license-clarification, NONE, 1.1 vacation.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Next message: rpms/vacation/F-10 import.log, NONE, 1.1 license-clarification, NONE, 1.1 vacation.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list