rpms/selinux-policy/F-11 policy-20090521.patch, 1.2, 1.3 selinux-policy.spec, 1.863, 1.864

Daniel J Walsh dwalsh at fedoraproject.org
Tue May 26 16:58:33 UTC 2009 

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv8923

Modified Files:
	policy-20090521.patch selinux-policy.spec 
Log Message:
* Tue May 26 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-42
- New log file for vmware
- Allow xdm to setattr on user_tmp_t


policy-20090521.patch:

Index: policy-20090521.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/policy-20090521.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -p -r1.2 -r1.3
--- policy-20090521.patch	22 May 2009 14:37:50 -0000	1.2
+++ policy-20090521.patch	26 May 2009 16:58:03 -0000	1.3
@@ -8,6 +8,17 @@ diff -b -B --ignore-all-space --exclude-
 +
 +kernel_dontaudit_read_system_state(sandbox_t)
 +corecmd_exec_all_executables(sandbox_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.6.12/policy/modules/apps/vmware.fc
+--- nsaserefpolicy/policy/modules/apps/vmware.fc	2009-04-07 15:54:49.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/apps/vmware.fc	2009-05-26 08:07:56.000000000 -0400
+@@ -63,6 +63,7 @@
+ ')
+ 
+ /var/log/vmware.* 		--	gen_context(system_u:object_r:vmware_log_t,s0)
++/var/log/vnetlib.*		--	gen_context(system_u:object_r:vmware_log_t,s0)
+ 
+ /var/run/vmnat.* 		-s	gen_context(system_u:object_r:vmware_var_run_t,s0)
+ /var/run/vmware.* 			gen_context(system_u:object_r:vmware_var_run_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2009-05-21 08:27:59.000000000 -0400
 +++ serefpolicy-3.6.12/policy/modules/kernel/files.if	2009-05-22 08:57:14.000000000 -0400
@@ -57,6 +68,50 @@ diff -b -B --ignore-all-space --exclude-
  
  type unconfined_notrans_t;
  type unconfined_notrans_exec_t;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.12/policy/modules/services/apache.fc
+--- nsaserefpolicy/policy/modules/services/apache.fc	2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/apache.fc	2009-05-26 09:24:52.000000000 -0400
+@@ -98,4 +98,6 @@
+ 
+ /var/lib/rt3/data/RT-Shredder(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
+ 
+-/var/www/svn(/.*)?		gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
++/var/www/svn(/.*)?			gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
++/var/www/svn/hooks(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/var/www/svn/conf(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.12/policy/modules/services/cron.if
+--- nsaserefpolicy/policy/modules/services/cron.if	2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/cron.if	2009-05-26 08:38:15.000000000 -0400
+@@ -163,27 +163,14 @@
+ #
+ interface(`cron_unconfined_role',`
+ 	gen_require(`
+-		type unconfined_cronjob_t, admin_crontab_t, crontab_tmp_t, crontab_exec_t;
++		type unconfined_cronjob_t;
+ 	')
+ 
+-	role $1 types { unconfined_cronjob_t admin_crontab_t };
++	role $1 types unconfined_cronjob_t;
+ 
+ 	# cronjob shows up in user ps
+ 	ps_process_pattern($2, unconfined_cronjob_t)
+ 
+-	# Transition from the user domain to the derived domain.
+-	domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
+-
+-	# crontab shows up in user ps
+-	ps_process_pattern($2, admin_crontab_t)
+-	allow $2 admin_crontab_t:process signal;
+-
+-	# Run helper programs as the user domain
+-	#corecmd_bin_domtrans(admin_crontab_t, $2)
+-	#corecmd_shell_domtrans(admin_crontab_t, $2)
+-	corecmd_exec_bin(admin_crontab_t)
+-	corecmd_exec_shell(admin_crontab_t)
+-
+ 	optional_policy(`
+ 		gen_require(`
+ 			class dbus send_msg;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.12/policy/modules/services/devicekit.te
 --- nsaserefpolicy/policy/modules/services/devicekit.te	2009-05-21 08:27:59.000000000 -0400
 +++ serefpolicy-3.6.12/policy/modules/services/devicekit.te	2009-05-21 12:57:07.000000000 -0400
@@ -114,3 +169,49 @@ diff -b -B --ignore-all-space --exclude-
  corenet_udp_sendrecv_generic_if(svirt_t)
  corenet_udp_sendrecv_generic_node(svirt_t)
  corenet_udp_sendrecv_all_ports(svirt_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.12/policy/modules/services/xserver.te
+--- nsaserefpolicy/policy/modules/services/xserver.te	2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/xserver.te	2009-05-26 08:17:11.000000000 -0400
+@@ -538,6 +538,7 @@
+ # Search /proc for any user domain processes.
+ userdom_read_all_users_state(xdm_t)
+ userdom_signal_all_users(xdm_t)
++userdom_manage_user_tmp_dirs(xdm_t)
+ userdom_manage_user_tmp_sockets(xdm_t)
+ userdom_manage_tmpfs_role(system_r, xdm_t)
+ 
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.12/policy/modules/system/authlogin.if
+--- nsaserefpolicy/policy/modules/system/authlogin.if	2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/authlogin.if	2009-05-26 08:43:32.000000000 -0400
+@@ -77,6 +77,8 @@
+ 
+ 	# for SSP/ProPolice
+ 	dev_read_urand($1)
++	# for encrypted homedir
++	dev_read_sysfs($1)
+ 	# for fingerprint readers
+ 	dev_rw_input_dev($1)
+ 	dev_rw_generic_usb_dev($1)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.6.12/policy/modules/system/init.fc
+--- nsaserefpolicy/policy/modules/system/init.fc	2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/init.fc	2009-05-26 09:15:52.000000000 -0400
+@@ -6,6 +6,8 @@
+ /etc/rc\.d/rc		--	gen_context(system_u:object_r:initrc_exec_t,s0)
+ /etc/rc\.d/rc\.[^/]+	--	gen_context(system_u:object_r:initrc_exec_t,s0)
+ 
++/etc/sysconfig/network-scripts/ifup-ipsec  	--	gen_context(system_u:object_r:initrc_exec_t,s0)
++
+ /etc/rc\.d/init\.d/.*	--	gen_context(system_u:object_r:initrc_exec_t,s0)
+ 
+ /etc/X11/prefdm		--	gen_context(system_u:object_r:initrc_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.12/policy/modules/system/ipsec.te
+--- nsaserefpolicy/policy/modules/system/ipsec.te	2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/ipsec.te	2009-05-26 09:17:39.000000000 -0400
+@@ -348,6 +348,7 @@
+ files_read_etc_files(setkey_t)
+ 
+ init_dontaudit_use_fds(setkey_t)
++init_read_script_tmp_files(setkey_t)
+ 
+ # allow setkey to set the context for ipsec SAs and policy.
+ ipsec_setcontext_default_spd(setkey_t)


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/selinux-policy.spec,v
retrieving revision 1.863
retrieving revision 1.864
diff -u -p -r1.863 -r1.864
--- selinux-policy.spec	22 May 2009 14:37:50 -0000	1.863
+++ selinux-policy.spec	26 May 2009 16:58:03 -0000	1.864
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.12
-Release: 41%{?dist}
+Release: 42%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -475,6 +475,10 @@ exit 0
 %endif
 
 %changelog
+* Tue May 26 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-42
+- New log file for vmware
+- Allow xdm to setattr on user_tmp_t
+
 * Thu May 21 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-41
 - Allow sysadm_t to connect to virt stream

More information about the scm-commits mailing list