rpms/selinux-policy/F-9 policy-20071130.patch, 1.255, 1.256 selinux-policy.spec, 1.740, 1.741
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Feb 27 08:50:04 UTC 2009
Author: mgrepl
Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv16190
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
- Fix qemu labeling
- Fix mysqld_safe policy
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.255
retrieving revision 1.256
diff -u -r1.255 -r1.256
--- policy-20071130.patch 19 Feb 2009 13:10:37 -0000 1.255
+++ policy-20071130.patch 27 Feb 2009 08:49:59 -0000 1.256
@@ -644450,7 +644450,7 @@
read_files_pattern(amavis_t,amavis_etc_t,amavis_etc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.3.1/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2008-02-26 14:23:10.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/services/apache.fc 2009-02-12 22:21:57.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/services/apache.fc 2009-02-27 09:29:43.000000000 +0100
@@ -1,28 +1,28 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0)
-
@@ -644498,7 +644498,7 @@
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -47,12 +49,18 @@
+@@ -47,12 +49,20 @@
/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -644511,21 +644511,23 @@
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+
++/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
++
/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
+/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -65,11 +73,26 @@
+@@ -65,11 +75,26 @@
/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
++
-/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
-+
+/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
@@ -650871,7 +650873,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.3.1/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2008-02-26 14:23:10.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/services/dovecot.te 2009-02-12 22:21:57.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/services/dovecot.te 2009-02-27 09:21:55.000000000 +0100
@@ -15,6 +15,15 @@
domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
role system_r types dovecot_auth_t;
@@ -650971,7 +650973,7 @@
files_read_usr_symlinks(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)
files_read_var_lib_files(dovecot_t)
-@@ -184,5 +213,53 @@
+@@ -184,5 +213,55 @@
')
optional_policy(`
@@ -651008,6 +651010,8 @@
+
+files_read_etc_files(dovecot_deliver_t)
+files_read_etc_runtime_files(dovecot_deliver_t)
++files_search_tmp(dovecot_deliver_t)
++fs_getattr_all_fs(dovecot_deliver_t)
+
+auth_use_nsswitch(dovecot_deliver_t)
+
@@ -653389,6 +653393,17 @@
+ dbus_connect_system_bus(kerneloops_t)
+')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.3.1/policy/modules/services/ktalk.te
+--- nsaserefpolicy/policy/modules/services/ktalk.te 2008-02-26 14:23:10.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/services/ktalk.te 2009-02-27 09:39:10.000000000 +0100
+@@ -69,6 +69,7 @@
+ files_read_etc_files(ktalkd_t)
+
+ term_search_ptys(ktalkd_t)
++term_use_all_terms(ktalkd_t)
+
+ auth_use_nsswitch(ktalkd_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.3.1/policy/modules/services/ldap.fc
--- nsaserefpolicy/policy/modules/services/ldap.fc 2008-02-26 14:23:10.000000000 +0100
+++ serefpolicy-3.3.1/policy/modules/services/ldap.fc 2009-02-12 22:21:57.000000000 +0100
@@ -654609,7 +654624,7 @@
+/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.3.1/policy/modules/services/mysql.if
--- nsaserefpolicy/policy/modules/services/mysql.if 2008-02-26 14:23:10.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/services/mysql.if 2009-02-13 10:52:23.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/services/mysql.if 2009-02-27 09:20:53.000000000 +0100
@@ -32,9 +32,11 @@
interface(`mysql_stream_connect',`
gen_require(`
@@ -654632,10 +654647,39 @@
')
########################################
-@@ -157,3 +160,93 @@
- logging_search_logs($1)
- allow $1 mysqld_log_t:file { write append setattr ioctl };
+@@ -118,6 +121,25 @@
+ allow $1 mysqld_db_t:dir manage_dir_perms;
')
+
++######################################
++## <summary>
++## Create, read, write, and delete MySQL database files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mysql_manage_db_files',`
++ gen_require(`
++ type mysqld_db_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1,mysqld_db_t,mysqld_db_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Read and write to the MySQL database
+@@ -155,5 +177,95 @@
+ ')
+
+ logging_search_logs($1)
+- allow $1 mysqld_log_t:file { write append setattr ioctl };
++ write_files_pattern($1,mysqld_log_t,mysqld_log_t)
++')
+
+####################################
+## <summary>
@@ -654725,10 +654769,10 @@
+ manage_all_pattern($1,mysqld_log_t)
+
+ manage_all_pattern($1,mysqld_tmp_t)
-+')
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.3.1/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2008-02-26 14:23:10.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/services/mysql.te 2009-02-13 10:02:36.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/services/mysql.te 2009-02-27 09:18:38.000000000 +0100
@@ -10,6 +10,10 @@
type mysqld_exec_t;
init_daemon_domain(mysqld_t,mysqld_exec_t)
@@ -654770,7 +654814,7 @@
domain_use_interactive_fds(mysqld_t)
-@@ -119,3 +128,32 @@
+@@ -119,3 +128,38 @@
optional_policy(`
udev_read_db(mysqld_t)
')
@@ -654785,14 +654829,18 @@
+allow mysqld_safe_t self:capability { dac_override fowner chown };
+allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
+
++append_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
++
+mysql_read_config(mysqld_safe_t)
-+mysql_search_db(mysqld_safe_t)
+mysql_search_pid_files(mysqld_safe_t)
+mysql_write_log(mysqld_safe_t)
+
+kernel_read_system_state(mysqld_safe_t)
+
++dev_list_sysfs(mysqld_safe_t)
++
+files_read_etc_files(mysqld_safe_t)
++files_read_usr_files(mysqld_safe_t)
+
+corecmd_exec_bin(mysqld_safe_t)
+
@@ -654801,6 +654849,8 @@
+
+miscfiles_read_localization(mysqld_safe_t)
+
++hostname_exec(mysqld_safe_t)
++
+permissive mysqld_safe_t;
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.3.1/policy/modules/services/nagios.fc
@@ -661418,7 +661468,7 @@
/usr/sbin/rpc\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.3.1/policy/modules/services/rpc.if
--- nsaserefpolicy/policy/modules/services/rpc.if 2008-02-26 14:23:10.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/services/rpc.if 2009-02-12 22:21:57.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/services/rpc.if 2009-02-27 09:13:12.000000000 +0100
@@ -88,8 +88,11 @@
# bind to arbitary unused ports
corenet_tcp_bind_generic_port($1_t)
@@ -661432,7 +661482,7 @@
fs_rw_rpc_named_pipes($1_t)
fs_search_auto_mountpoints($1_t)
-@@ -208,6 +211,24 @@
+@@ -208,6 +211,25 @@
########################################
## <summary>
@@ -661450,6 +661500,7 @@
+ ')
+
+ domtrans_pattern($1,rpcd_exec_t,rpcd_t)
++ allow rpcd_t $1:process signal;
+')
+
+########################################
@@ -661457,7 +661508,7 @@
## Read NFS exported content.
## </summary>
## <param name="domain">
-@@ -338,3 +359,22 @@
+@@ -338,3 +360,22 @@
files_search_var_lib($1)
read_files_pattern($1,var_lib_nfs_t,var_lib_nfs_t)
')
@@ -662208,7 +662259,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.3.1/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2008-02-26 14:23:10.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/services/samba.te 2009-02-13 10:19:03.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/services/samba.te 2009-02-27 09:28:30.000000000 +0100
@@ -17,6 +17,13 @@
## <desc>
@@ -662441,17 +662492,24 @@
allow nmbd_t self:tcp_socket create_stream_socket_perms;
allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
-@@ -403,8 +469,7 @@
+@@ -401,14 +467,10 @@
+ files_pid_filetrans(nmbd_t,nmbd_var_run_t,file)
+
read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t)
++read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t)
-append_files_pattern(nmbd_t,samba_log_t,samba_log_t)
-allow nmbd_t samba_log_t:file unlink;
+-
+-read_files_pattern(nmbd_t,samba_log_t,samba_log_t)
+-create_files_pattern(nmbd_t,samba_log_t,samba_log_t)
+-allow nmbd_t samba_log_t:dir setattr;
+manage_files_pattern(nmbd_t,samba_log_t,samba_log_t)
- read_files_pattern(nmbd_t,samba_log_t,samba_log_t)
- create_files_pattern(nmbd_t,samba_log_t,samba_log_t)
-@@ -439,6 +504,7 @@
+ manage_files_pattern(nmbd_t,samba_var_t,samba_var_t)
+
+@@ -439,6 +501,7 @@
dev_getattr_mtrr_dev(nmbd_t)
fs_getattr_all_fs(nmbd_t)
@@ -662459,7 +662517,7 @@
fs_search_auto_mountpoints(nmbd_t)
domain_use_interactive_fds(nmbd_t)
-@@ -522,6 +588,7 @@
+@@ -522,6 +585,7 @@
storage_raw_write_fixed_disk(smbmount_t)
term_list_ptys(smbmount_t)
@@ -662467,7 +662525,7 @@
corecmd_list_bin(smbmount_t)
-@@ -533,41 +600,50 @@
+@@ -533,41 +597,50 @@
auth_use_nsswitch(smbmount_t)
@@ -662528,7 +662586,7 @@
allow swat_t smbd_var_run_t:file read;
manage_dirs_pattern(swat_t,swat_tmp_t,swat_tmp_t)
-@@ -577,7 +653,9 @@
+@@ -577,7 +650,9 @@
manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t)
files_pid_filetrans(swat_t,swat_var_run_t,file)
@@ -662539,7 +662597,7 @@
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -602,10 +680,12 @@
+@@ -602,10 +677,12 @@
dev_read_urand(swat_t)
@@ -662552,7 +662610,7 @@
auth_domtrans_chk_passwd(swat_t)
auth_use_nsswitch(swat_t)
-@@ -614,6 +694,7 @@
+@@ -614,6 +691,7 @@
libs_use_shared_libs(swat_t)
logging_send_syslog_msg(swat_t)
@@ -662560,7 +662618,7 @@
logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
-@@ -631,6 +712,17 @@
+@@ -631,6 +709,17 @@
kerberos_use(swat_t)
')
@@ -662578,7 +662636,7 @@
########################################
#
# Winbind local policy
-@@ -673,12 +765,15 @@
+@@ -673,12 +762,15 @@
manage_dirs_pattern(winbind_t,winbind_tmp_t,winbind_tmp_t)
manage_files_pattern(winbind_t,winbind_tmp_t,winbind_tmp_t)
@@ -662594,7 +662652,7 @@
kernel_read_kernel_sysctls(winbind_t)
kernel_list_proc(winbind_t)
kernel_read_proc_symlinks(winbind_t)
-@@ -764,8 +859,13 @@
+@@ -764,8 +856,13 @@
miscfiles_read_localization(winbind_helper_t)
optional_policy(`
@@ -662608,7 +662666,7 @@
')
########################################
-@@ -774,19 +874,64 @@
+@@ -774,19 +871,64 @@
#
optional_policy(`
@@ -671368,18 +671426,20 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.fc serefpolicy-3.3.1/policy/modules/system/qemu.fc
--- nsaserefpolicy/policy/modules/system/qemu.fc 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/system/qemu.fc 2009-02-13 09:48:32.000000000 +0100
-@@ -0,0 +1,6 @@
++++ serefpolicy-3.3.1/policy/modules/system/qemu.fc 2009-02-27 09:23:38.000000000 +0100
+@@ -0,0 +1,8 @@
+
+/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
+
-+/var/run/libvirt/qemu(/.*)? -- gen_context(system_u:object_r:qemu_var_run_t,s0)
++/var/cache/libvirt(/.*)? gen_context(system_u:object_r:qemu_cache_t,s0)
++
++/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.if serefpolicy-3.3.1/policy/modules/system/qemu.if
--- nsaserefpolicy/policy/modules/system/qemu.if 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/system/qemu.if 2009-02-13 09:47:42.000000000 +0100
-@@ -0,0 +1,341 @@
++++ serefpolicy-3.3.1/policy/modules/system/qemu.if 2009-02-27 09:26:49.000000000 +0100
+@@ -0,0 +1,343 @@
+
+## <summary>policy for qemu</summary>
+
@@ -671660,8 +671720,10 @@
+ manage_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
+ files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
+
++ manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
-+ files_pid_filetrans($1_t, $1_var_run_t, file)
++ manage_lnk_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
++ files_pid_filetrans($1_t, $1_var_run_t, { file dir})
+
+ dev_read_sound($1_t)
+ dev_write_sound($1_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/selinux-policy.spec,v
retrieving revision 1.740
retrieving revision 1.741
diff -u -r1.740 -r1.741
--- selinux-policy.spec 19 Feb 2009 16:37:39 -0000 1.740
+++ selinux-policy.spec 27 Feb 2009 08:50:01 -0000 1.741
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 124%{?dist}
+Release: 125%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -444,6 +444,10 @@
%endif
%changelog
+* Thu Feb 27 2009 Miroslav Grepl <mgrepl at redhat.com> 3.3.1-125
+- Fix qemu labeling
+- Fix mysqld_safe policy
+
* Thu Feb 19 2009 Miroslav Grepl <mgrepl at redhat.com> 3.3.1-124
- Fix kismet policy
- Fix lables for libraries that need textrel_shlib_t
More information about the scm-commits
mailing list