rpms/selinux-policy/devel modules-minimum.conf, 1.10, 1.11 modules-mls.conf, 1.45, 1.46 modules-targeted.conf, 1.112, 1.113 policy-20090105.patch, 1.15, 1.16 selinux-policy.spec, 1.770, 1.771
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Jan 21 20:39:48 UTC 2009
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv4779
Modified Files:
modules-minimum.conf modules-mls.conf modules-targeted.conf
policy-20090105.patch selinux-policy.spec
Log Message:
* Wed Jan 21 2009 Dan Walsh <dwalsh at redhat.com> 3.6.3-4
- Add wm policy
Index: modules-minimum.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-minimum.conf,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- modules-minimum.conf 19 Jan 2009 22:10:11 -0000 1.10
+++ modules-minimum.conf 21 Jan 2009 20:39:17 -0000 1.11
@@ -527,6 +527,13 @@
#
polkit = module
+# Layer: services
+# Module: psad
+#
+# Analyze iptables log for hostile traffic
+#
+psad = module
+
# Layer: system
# Module: hostname
#
Index: modules-mls.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-mls.conf,v
retrieving revision 1.45
retrieving revision 1.46
diff -u -r1.45 -r1.46
--- modules-mls.conf 21 Jan 2009 16:17:40 -0000 1.45
+++ modules-mls.conf 21 Jan 2009 20:39:17 -0000 1.46
@@ -527,6 +527,13 @@
#
polkit = module
+# Layer: services
+# Module: psad
+#
+# Analyze iptables log for hostile traffic
+#
+psad = module
+
# Layer: system
# Module: hostname
#
@@ -1329,13 +1336,6 @@
#
wine = module
-# Layer: apps
-# Module: wm
-#
-# X windows window manager
-#
-#wm = module
-
# Layer: admin
# Module: tzdata
#
@@ -1767,3 +1767,11 @@
#
#
milter = module
+
+# Layer: apps
+# Module: wm
+#
+# X windows window manager
+#
+wm = module
+
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.112
retrieving revision 1.113
diff -u -r1.112 -r1.113
--- modules-targeted.conf 19 Jan 2009 22:10:11 -0000 1.112
+++ modules-targeted.conf 21 Jan 2009 20:39:17 -0000 1.113
@@ -527,6 +527,13 @@
#
polkit = module
+# Layer: services
+# Module: psad
+#
+# Analyze iptables log for hostile traffic
+#
+psad = module
+
# Layer: system
# Module: hostname
#
policy-20090105.patch:
View full diff with command:
/usr/bin/cvs -f diff -kk -u -N -r 1.15 -r 1.16 policy-20090105.patch
Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20090105.patch,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- policy-20090105.patch 21 Jan 2009 16:17:40 -0000 1.15
+++ policy-20090105.patch 21 Jan 2009 20:39:17 -0000 1.16
@@ -2194,7 +2194,7 @@
+seutil_domtrans_setfiles_mac(livecd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.6.3/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2008-08-07 11:15:02.000000000 -0400
-+++ serefpolicy-3.6.3/policy/modules/apps/mono.if 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/apps/mono.if 2009-01-21 12:26:56.000000000 -0500
@@ -21,6 +21,103 @@
########################################
@@ -3933,8 +3933,8 @@
+/usr/bin/metacity -- gen_context(system_u:object_r:wm_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if serefpolicy-3.6.3/policy/modules/apps/wm.if
--- nsaserefpolicy/policy/modules/apps/wm.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/apps/wm.if 2009-01-19 13:10:02.000000000 -0500
-@@ -0,0 +1,19 @@
++++ serefpolicy-3.6.3/policy/modules/apps/wm.if 2009-01-21 14:33:42.000000000 -0500
+@@ -0,0 +1,108 @@
+## <summary>Window Manager.</summary>
+
+########################################
@@ -3954,114 +3954,108 @@
+
+ can_exec($1, wm_exec_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.te serefpolicy-3.6.3/policy/modules/apps/wm.te
---- nsaserefpolicy/policy/modules/apps/wm.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/apps/wm.te 2009-01-19 13:10:02.000000000 -0500
-@@ -0,0 +1,104 @@
-+policy_module(wm,0.0.4)
+
-+########################################
-+#
-+# Declarations
++#######################################
++## <summary>
++## The role template for the wm module.
++## </summary>
++## <desc>
++## <p>
++## This template creates a derived domains which are used
++## for wm applications.
++## </p>
++## </desc>
++## <param name="role_prefix">
++## <summary>
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
++## <param name="user_role">
++## <summary>
++## The role associated with the user domain.
++## </summary>
++## </param>
++## <param name="user_domain">
++## <summary>
++## The type of the user domain.
++## </summary>
++## </param>
+#
++template(`wm_role_template',`
++ gen_require(`
++ type wm_exec_t;
++ ')
+
-+type wm_t;
-+type wm_exec_t;
-+domain_type(wm_t)
-+domain_entry_file(wm_t,wm_exec_t)
-+role user_r types wm_t;
-+
-+type wm_tmpfs_t;
-+
-+files_read_etc_files(wm_t)
-+
-+nscd_dontaudit_search_pid(wm_t)
-+
-+miscfiles_read_localization(wm_t)
-+
-+dev_read_urand(wm_t)
-+
-+files_list_tmp(wm_t)
++ type $1_wm_t;
++ domain_type($1_wm_t)
++ domain_entry_file($1_wm_t, wm_exec_t)
++ role $2 types $1_wm_t;
+
-+allow wm_t proc_t:file { read getattr };
++ domtrans_pattern($3, wm_exec_t, $1_wm_t)
+
-+allow wm_t info_xproperty_t:x_property { write create };
++ corecmd_bin_domtrans($1_wm_t, $1_t)
++ corecmd_shell_domtrans($1_wm_t, $1_t)
+
-+allow wm_t self:process getsched;
-+allow wm_t self:x_drawable blend;
++ ifdef(`enable_mls',`
++ mls_file_read_all_levels($1_wm_t)
++ mls_file_write_all_levels($1_wm_t)
++ mls_xwin_read_all_levels($1_wm_t)
++ mls_xwin_write_all_levels($1_wm_t)
++ mls_fd_use_all_levels($1_wm_t)
++ ')
+
-+allow wm_t tmpfs_t:file { read write };
++ files_read_etc_files($1_wm_t)
++ files_read_usr_files($1_wm_t)
+
-+allow wm_t usr_t:file { read getattr };
-+allow wm_t usr_t:lnk_file read;
++ miscfiles_read_fonts($1_wm_t)
++ miscfiles_read_localization($1_wm_t)
+
-+allow wm_t user_tmp_t:dir { write search setattr remove_name getattr add_name };
-+allow wm_t user_tmp_t:sock_file { write create unlink };
++ optional_policy(`
++ gnome_read_config($1_wm_t)
++ gnome_read_gconf_config($1_wm_t)
++ ')
+
-+allow wm_t user_t:unix_stream_socket connectto;
-+allow wm_t self:fifo_file { write read };
++ auth_use_nsswitch($1_wm_t)
+
++ kernel_read_system_state($1_wm_t)
+
-+allow wm_t client_xevent_t:x_synthetic_event send;
-+allow wm_t focus_xevent_t:x_event receive;
-+allow wm_t input_xevent_t:x_event receive;
-+allow wm_t manage_xevent_t:x_event receive;
-+allow wm_t manage_xevent_t:x_synthetic_event { receive send };
-+allow wm_t property_xevent_t:x_event receive;
-+allow wm_t xproperty_t:x_property { read write destroy };
-+allow wm_t rootwindow_t:x_colormap { install uninstall use add_color remove_color read };
-+allow wm_t rootwindow_t:x_drawable { read write manage setattr get_property hide show receive set_property create send add_child remove_child getattr list_property blend list_child destroy override };
-+allow wm_t xproperty_t:x_property { write read };
-+allow wm_t xserver_t:x_device { force_cursor setfocus use setattr grab manage getattr freeze write };
-+allow wm_t xserver_t:x_resource { read write };
-+allow wm_t xserver_t:x_screen setattr;
-+allow wm_t xselection_t:x_selection setattr;
++ allow $1_wm_t self:fifo_file rw_fifo_file_perms;
++ allow $1_wm_t self:process getsched;
++ allow $1_wm_t self:shm create_shm_perms;
+
-+allow wm_t :x_drawable { get_property setattr show receive manage send read getattr list_child set_property };
-+allow wm_t $2_t:x_resource { read write };
++ allow $1_wm_t $1_t:unix_stream_socket connectto;
+
-+ifdef(`enable_mls',`
-+ mls_file_read_all_levels(wm_t)
-+ mls_file_write_all_levels(wm_t)
-+ mls_xwin_read_all_levels(wm_t)
-+ mls_xwin_write_all_levels(wm_t)
-+ mls_fd_use_all_levels(wm_t)
-+')
++ optional_policy(`
++ dbus_system_bus_client($1_wm_t)
++ ')
+
-+corecmd_exec_bin(wm_t)
-+can_exec(wm_t, { shell_exec_t })
-+domtrans_pattern(wm_t,bin_t,user_t)
++ userdom_unpriv_usertype($1, $1_wm_t)
+
-+allow user_t wm_t:unix_stream_socket connectto;
-+allow user_t wm_t:x_drawable { receive get_property getattr list_child };
++ userdom_manage_home_role($1_r, $1_wm_t)
++ userdom_manage_tmpfs_role($1_r, $1_wm_t)
++ userdom_manage_tmp_role($1_r, $1_wm_t)
+
-+allow user_t wm_t:process signal;
++ dev_read_urand($1_wm_t)
+
-+optional_policy(`
-+ dbus_system_bus_client(wm_t)
-+ dbus_user_bus_client(user,wm_t)
++ optional_policy(`
++ xserver_role($1_r, $1_wm_t)
++ xserver_use_xdm($1_wm_t)
++ ')
+')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.te serefpolicy-3.6.3/policy/modules/apps/wm.te
+--- nsaserefpolicy/policy/modules/apps/wm.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/apps/wm.te 2009-01-21 12:37:15.000000000 -0500
+@@ -0,0 +1,9 @@
++policy_module(wm,0.0.4)
+
-+allow wm_t user_home_t:dir { search getattr };
-+allow wm_t user_xproperty_t:x_property { read write destroy };
-+allow wm_t default_t:dir search;
-+allow wm_t home_root_t:dir search;
-+allow wm_t user_home_dir_t:dir search;
[...1664 lines suppressed...]
kernel_sigchld_unlabeled($1_t)
@@ -27770,7 +28407,7 @@
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1106,8 +1175,6 @@
+@@ -1106,8 +1184,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -27779,7 +28416,7 @@
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1162,20 +1229,6 @@
+@@ -1162,20 +1238,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -27800,7 +28437,7 @@
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1221,6 +1274,7 @@
+@@ -1221,6 +1283,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -27808,7 +28445,7 @@
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1286,11 +1340,15 @@
+@@ -1286,11 +1349,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -27824,7 +28461,7 @@
')
########################################
-@@ -1387,7 +1445,7 @@
+@@ -1387,7 +1454,7 @@
########################################
## <summary>
@@ -27833,7 +28470,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -1420,6 +1478,14 @@
+@@ -1420,6 +1487,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -27848,7 +28485,7 @@
')
########################################
-@@ -1435,9 +1501,11 @@
+@@ -1435,9 +1510,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -27860,7 +28497,7 @@
')
########################################
-@@ -1494,6 +1562,25 @@
+@@ -1494,6 +1571,25 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -27886,7 +28523,7 @@
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1547,9 +1634,9 @@
+@@ -1547,9 +1643,9 @@
type user_home_dir_t, user_home_t;
')
@@ -27898,7 +28535,7 @@
')
########################################
-@@ -1568,6 +1655,8 @@
+@@ -1568,6 +1664,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -27907,7 +28544,7 @@
')
########################################
-@@ -1643,6 +1732,7 @@
+@@ -1643,6 +1741,7 @@
type user_home_dir_t, user_home_t;
')
@@ -27915,7 +28552,7 @@
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
-@@ -1741,6 +1831,62 @@
+@@ -1741,6 +1840,62 @@
########################################
## <summary>
@@ -27978,7 +28615,7 @@
## Execute user home files.
## </summary>
## <param name="domain">
-@@ -1757,14 +1903,6 @@
+@@ -1757,14 +1912,6 @@
files_search_home($1)
exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
@@ -27993,7 +28630,7 @@
')
########################################
-@@ -1787,6 +1925,46 @@
+@@ -1787,6 +1934,46 @@
########################################
## <summary>
@@ -28040,7 +28677,44 @@
## Create, read, write, and delete files
## in a user home subdirectory.
## </summary>
-@@ -2819,6 +2997,24 @@
+@@ -1921,6 +2108,36 @@
+
+ ########################################
+ ## <summary>
++## Create objects in the /root directory
++## with an automatic type transition to
++## a specified private type.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="private_type">
++## <summary>
++## The type of the object to create.
++## </summary>
++## </param>
++## <param name="object_class">
++## <summary>
++## The class of the object to be created.
++## </summary>
++## </param>
++#
++interface(`userdom_admin_home_dir_filetrans',`
++ gen_require(`
++ type admin_home_t;
++ ')
++
++ filetrans_pattern($1, admin_home_t, $2, $3)
++')
++
++########################################
++## <summary>
+ ## Create objects in a user home directory
+ ## with an automatic type transition to
+ ## a specified private type.
+@@ -2819,6 +3036,24 @@
########################################
## <summary>
@@ -28065,7 +28739,7 @@
## Do not audit attempts to use user ttys.
## </summary>
## <param name="domain">
-@@ -2851,6 +3047,7 @@
+@@ -2851,6 +3086,7 @@
')
read_files_pattern($1,userdomain,userdomain)
@@ -28073,7 +28747,7 @@
kernel_search_proc($1)
')
-@@ -2965,6 +3162,24 @@
+@@ -2965,6 +3201,24 @@
########################################
## <summary>
@@ -28098,7 +28772,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -2981,3 +3196,264 @@
+@@ -2981,3 +3235,264 @@
allow $1 userdomain:dbus send_msg;
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.770
retrieving revision 1.771
diff -u -r1.770 -r1.771
--- selinux-policy.spec 21 Jan 2009 16:17:40 -0000 1.770
+++ selinux-policy.spec 21 Jan 2009 20:39:17 -0000 1.771
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.3
-Release: 3%{?dist}
+Release: 4%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -445,6 +445,9 @@
%endif
%changelog
+* Wed Jan 21 2009 Dan Walsh <dwalsh at redhat.com> 3.6.3-4
+- Add wm policy
+
* Tue Jan 20 2009 Dan Walsh <dwalsh at redhat.com> 3.6.3-3
- Fixed for DeviceKit
More information about the scm-commits
mailing list