rpms/selinux-policy/F-9 policy-20071130.patch, 1.263, 1.264 selinux-policy.spec, 1.745, 1.746
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Mar 25 08:29:47 UTC 2009
Author: mgrepl
Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv26754
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
- Add xenner fixes
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.263
retrieving revision 1.264
diff -u -r1.263 -r1.264
--- policy-20071130.patch 23 Mar 2009 17:06:25 -0000 1.263
+++ policy-20071130.patch 25 Mar 2009 08:29:43 -0000 1.264
@@ -655058,7 +655058,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.3.1/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2008-02-26 14:23:10.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/services/mysql.te 2009-03-23 10:41:10.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/services/mysql.te 2009-03-25 00:08:28.000000000 +0100
@@ -10,6 +10,10 @@
type mysqld_exec_t;
init_daemon_domain(mysqld_t,mysqld_exec_t)
@@ -655100,7 +655100,7 @@
domain_use_interactive_fds(mysqld_t)
-@@ -119,3 +128,40 @@
+@@ -119,3 +128,38 @@
optional_policy(`
udev_read_db(mysqld_t)
')
@@ -655139,8 +655139,6 @@
+
+hostname_exec(mysqld_safe_t)
+
-+permissive mysqld_safe_t;
-+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.3.1/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2008-02-26 14:23:10.000000000 +0100
+++ serefpolicy-3.3.1/policy/modules/services/nagios.fc 2009-02-12 22:21:57.000000000 +0100
@@ -678638,9 +678636,35 @@
+optional_policy(`
+ unconfined_domain(virtd_t)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.3.1/policy/modules/system/xen.fc
+--- nsaserefpolicy/policy/modules/system/xen.fc 2008-02-26 14:23:09.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/system/xen.fc 2009-03-25 00:31:38.000000000 +0100
+@@ -1,5 +1,7 @@
+ /dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0)
+
++/usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0)
++
+ /usr/bin/virsh -- gen_context(system_u:object_r:xm_exec_t,s0)
+
+ /usr/sbin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
+@@ -12,11 +14,14 @@
+ /var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
+ /var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0)
+
++/var/log/evtchnd\.log -- gen_context(system_u:object_r:evtchnd_var_log_t,s0)
+ /var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0)
+ /var/log/xen-hotplug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
+ /var/log/xend\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
+ /var/log/xend-debug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
+
++/var/run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0)
++/var/run/evtchnd -s gen_context(system_u:object_r:evtchnd_var_run_t,s0)
+ /var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
+ /var/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
+ /var/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.3.1/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if 2008-02-26 14:23:10.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/system/xen.if 2009-02-12 22:21:57.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/system/xen.if 2009-03-25 00:27:22.000000000 +0100
@@ -167,11 +167,14 @@
#
interface(`xen_stream_connect',`
@@ -678657,7 +678681,7 @@
')
########################################
-@@ -191,3 +194,24 @@
+@@ -191,3 +194,45 @@
domtrans_pattern($1,xm_exec_t,xm_t)
')
@@ -678682,9 +678706,30 @@
+ allow $1 xend_var_lib_t:dir search_dir_perms;
+ rw_files_pattern($1,xen_image_t,xen_image_t)
+')
++
++######################################
++## <summary>
++## Connect to evtchnd over a unix domain
++## stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`evtchnd_stream_connect',`
++ gen_require(`
++ type evtchnd_var_run_t, evtchnd_t;
++ ')
++
++ allow $1 evtchnd_t:unix_stream_socket connectto;
++ allow $1 evtchnd_var_run_t:sock_file { getattr write };
++ files_search_pids($1)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.3.1/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2008-02-26 14:23:09.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/system/xen.te 2009-02-12 22:21:57.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/system/xen.te 2009-03-25 00:26:11.000000000 +0100
@@ -6,6 +6,13 @@
# Declarations
#
@@ -678720,7 +678765,26 @@
role system_r types xenconsoled_t;
# pid files
-@@ -95,7 +99,7 @@
+@@ -72,6 +76,18 @@
+ domain_type(xm_t)
+ init_system_domain(xm_t, xm_exec_t)
+
++type evtchnd_t;
++type evtchnd_exec_t;
++init_daemon_domain(evtchnd_t, evtchnd_exec_t)
++
++# log files
++ type evtchnd_var_log_t;
++logging_log_file(evtchnd_var_log_t)
++
++# pid files
++type evtchnd_var_run_t;
++files_pid_file(evtchnd_var_run_t)
++
+ ########################################
+ #
+ # xend local policy
+@@ -95,7 +111,7 @@
read_lnk_files_pattern(xend_t,xen_image_t,xen_image_t)
rw_blk_files_pattern(xend_t,xen_image_t,xen_image_t)
@@ -678729,7 +678793,7 @@
dev_filetrans(xend_t, xenctl_t, fifo_file)
manage_files_pattern(xend_t,xend_tmp_t,xend_tmp_t)
-@@ -103,14 +107,14 @@
+@@ -103,14 +119,14 @@
files_tmp_filetrans(xend_t, xend_tmp_t, { file dir })
# pid file
@@ -678747,7 +678811,7 @@
manage_files_pattern(xend_t,xend_var_log_t,xend_var_log_t)
manage_sock_files_pattern(xend_t,xend_var_log_t,xend_var_log_t)
logging_log_filetrans(xend_t,xend_var_log_t,{ sock_file file dir })
-@@ -122,15 +126,13 @@
+@@ -122,15 +138,13 @@
manage_fifo_files_pattern(xend_t,xend_var_lib_t,xend_var_lib_t)
files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir })
@@ -678767,7 +678831,7 @@
kernel_read_kernel_sysctls(xend_t)
kernel_read_system_state(xend_t)
-@@ -176,6 +178,7 @@
+@@ -176,6 +190,7 @@
files_manage_etc_runtime_files(xend_t)
files_etc_filetrans_etc_runtime(xend_t,file)
files_read_usr_files(xend_t)
@@ -678775,7 +678839,7 @@
storage_raw_read_fixed_disk(xend_t)
storage_raw_write_fixed_disk(xend_t)
-@@ -214,6 +217,10 @@
+@@ -214,6 +229,10 @@
netutils_domtrans(xend_t)
optional_policy(`
@@ -678786,7 +678850,7 @@
consoletype_exec(xend_t)
')
-@@ -224,7 +231,7 @@
+@@ -224,7 +243,7 @@
allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
@@ -678795,7 +678859,7 @@
allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
-@@ -245,6 +252,8 @@
+@@ -245,6 +264,8 @@
files_read_usr_files(xenconsoled_t)
@@ -678804,7 +678868,7 @@
term_create_pty(xenconsoled_t,xen_devpts_t);
term_use_generic_ptys(xenconsoled_t)
term_use_console(xenconsoled_t)
-@@ -257,7 +266,7 @@
+@@ -257,7 +278,7 @@
miscfiles_read_localization(xenconsoled_t)
@@ -678813,7 +678877,7 @@
xen_stream_connect_xenstore(xenconsoled_t)
########################################
-@@ -265,7 +274,7 @@
+@@ -265,7 +286,7 @@
# Xen store local policy
#
@@ -678822,7 +678886,17 @@
allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
allow xenstored_t self:unix_dgram_socket create_socket_perms;
-@@ -310,6 +319,10 @@
+@@ -280,6 +301,9 @@
+ manage_sock_files_pattern(xenstored_t,xenstored_var_lib_t,xenstored_var_lib_t)
+ files_var_lib_filetrans(xenstored_t,xenstored_var_lib_t,{ file dir sock_file })
+
++# write and connect to evtchnd socket
++evtchnd_stream_connect(xenstored_t)
++
+ kernel_write_xen_state(xenstored_t)
+ kernel_read_xen_state(xenstored_t)
+
+@@ -310,6 +334,10 @@
xen_append_log(xenstored_t)
@@ -678833,7 +678907,7 @@
########################################
#
# xm local policy
-@@ -318,12 +331,13 @@
+@@ -318,12 +346,13 @@
allow xm_t self:capability { dac_override ipc_lock sys_tty_config };
# internal communication is often done using fifo and unix sockets.
@@ -678848,7 +678922,7 @@
files_search_var_lib(xm_t)
allow xm_t xen_image_t:dir rw_dir_perms;
-@@ -336,6 +350,7 @@
+@@ -336,6 +365,7 @@
kernel_write_xen_state(xm_t)
corecmd_exec_bin(xm_t)
@@ -678856,7 +678930,7 @@
corenet_tcp_sendrecv_generic_if(xm_t)
corenet_tcp_sendrecv_all_nodes(xm_t)
-@@ -351,8 +366,11 @@
+@@ -351,8 +381,11 @@
storage_raw_read_fixed_disk(xm_t)
@@ -678868,7 +678942,7 @@
init_rw_script_stream_sockets(xm_t)
init_use_fds(xm_t)
-@@ -363,6 +381,23 @@
+@@ -363,6 +396,43 @@
sysnet_read_config(xm_t)
@@ -678892,6 +678966,26 @@
+optional_policy(`
+ unconfined_domain(xend_t)
+')
++
++#######################################
++#
++# evtchnd local policy
++#
++
++# pid file
++manage_dirs_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t)
++manage_files_pattern(evtchnd_t,evtchnd_var_run_t,evtchnd_var_run_t)
++manage_sock_files_pattern(evtchnd_t,evtchnd_var_run_t,evtchnd_var_run_t)
++files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir })
++
++# log files
++manage_dirs_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t)
++manage_files_pattern(evtchnd_t,evtchnd_var_log_t,evtchnd_var_log_t)
++logging_log_filetrans(evtchnd_t,evtchnd_var_log_t,{ file dir })
++
++libs_use_ld_so(evtchnd_t)
++libs_use_shared_libs(evtchnd_t)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/auditadm.fc serefpolicy-3.3.1/policy/modules/users/auditadm.fc
--- nsaserefpolicy/policy/modules/users/auditadm.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.3.1/policy/modules/users/auditadm.fc 2009-02-12 22:21:57.000000000 +0100
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/selinux-policy.spec,v
retrieving revision 1.745
retrieving revision 1.746
diff -u -r1.745 -r1.746
--- selinux-policy.spec 23 Mar 2009 17:06:28 -0000 1.745
+++ selinux-policy.spec 25 Mar 2009 08:29:45 -0000 1.746
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 129%{?dist}
+Release: 130%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -444,6 +444,9 @@
%endif
%changelog
+* Wed Mar 25 2009 Miroslav Grepl <mgrepl at redhat.com> 3.3.1-130
+- Add xenner fixes
+
* Mon Mar 23 2009 Miroslav Grepl <mgrepl at redhat.com> 3.3.1-129
- Add google-earth labeling
More information about the scm-commits
mailing list