rpms/selinux-policy/F-11 policy-20090521.patch, 1.2, 1.3 selinux-policy.spec, 1.863, 1.864
Daniel J Walsh
dwalsh at fedoraproject.org
Tue May 26 16:58:33 UTC 2009
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv8923
Modified Files:
policy-20090521.patch selinux-policy.spec
Log Message:
* Tue May 26 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-42
- New log file for vmware
- Allow xdm to setattr on user_tmp_t
policy-20090521.patch:
Index: policy-20090521.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/policy-20090521.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -p -r1.2 -r1.3
--- policy-20090521.patch 22 May 2009 14:37:50 -0000 1.2
+++ policy-20090521.patch 26 May 2009 16:58:03 -0000 1.3
@@ -8,6 +8,17 @@ diff -b -B --ignore-all-space --exclude-
+
+kernel_dontaudit_read_system_state(sandbox_t)
+corecmd_exec_all_executables(sandbox_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.6.12/policy/modules/apps/vmware.fc
+--- nsaserefpolicy/policy/modules/apps/vmware.fc 2009-04-07 15:54:49.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/apps/vmware.fc 2009-05-26 08:07:56.000000000 -0400
+@@ -63,6 +63,7 @@
+ ')
+
+ /var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0)
++/var/log/vnetlib.* -- gen_context(system_u:object_r:vmware_log_t,s0)
+
+ /var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0)
+ /var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-05-22 08:57:14.000000000 -0400
@@ -57,6 +68,50 @@ diff -b -B --ignore-all-space --exclude-
type unconfined_notrans_t;
type unconfined_notrans_exec_t;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.12/policy/modules/services/apache.fc
+--- nsaserefpolicy/policy/modules/services/apache.fc 2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/apache.fc 2009-05-26 09:24:52.000000000 -0400
+@@ -98,4 +98,6 @@
+
+ /var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+
+-/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
++/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
++/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.12/policy/modules/services/cron.if
+--- nsaserefpolicy/policy/modules/services/cron.if 2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/cron.if 2009-05-26 08:38:15.000000000 -0400
+@@ -163,27 +163,14 @@
+ #
+ interface(`cron_unconfined_role',`
+ gen_require(`
+- type unconfined_cronjob_t, admin_crontab_t, crontab_tmp_t, crontab_exec_t;
++ type unconfined_cronjob_t;
+ ')
+
+- role $1 types { unconfined_cronjob_t admin_crontab_t };
++ role $1 types unconfined_cronjob_t;
+
+ # cronjob shows up in user ps
+ ps_process_pattern($2, unconfined_cronjob_t)
+
+- # Transition from the user domain to the derived domain.
+- domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
+-
+- # crontab shows up in user ps
+- ps_process_pattern($2, admin_crontab_t)
+- allow $2 admin_crontab_t:process signal;
+-
+- # Run helper programs as the user domain
+- #corecmd_bin_domtrans(admin_crontab_t, $2)
+- #corecmd_shell_domtrans(admin_crontab_t, $2)
+- corecmd_exec_bin(admin_crontab_t)
+- corecmd_exec_shell(admin_crontab_t)
+-
+ optional_policy(`
+ gen_require(`
+ class dbus send_msg;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.12/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/devicekit.te 2009-05-21 12:57:07.000000000 -0400
@@ -114,3 +169,49 @@ diff -b -B --ignore-all-space --exclude-
corenet_udp_sendrecv_generic_if(svirt_t)
corenet_udp_sendrecv_generic_node(svirt_t)
corenet_udp_sendrecv_all_ports(svirt_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.12/policy/modules/services/xserver.te
+--- nsaserefpolicy/policy/modules/services/xserver.te 2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/xserver.te 2009-05-26 08:17:11.000000000 -0400
+@@ -538,6 +538,7 @@
+ # Search /proc for any user domain processes.
+ userdom_read_all_users_state(xdm_t)
+ userdom_signal_all_users(xdm_t)
++userdom_manage_user_tmp_dirs(xdm_t)
+ userdom_manage_user_tmp_sockets(xdm_t)
+ userdom_manage_tmpfs_role(system_r, xdm_t)
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.12/policy/modules/system/authlogin.if
+--- nsaserefpolicy/policy/modules/system/authlogin.if 2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/authlogin.if 2009-05-26 08:43:32.000000000 -0400
+@@ -77,6 +77,8 @@
+
+ # for SSP/ProPolice
+ dev_read_urand($1)
++ # for encrypted homedir
++ dev_read_sysfs($1)
+ # for fingerprint readers
+ dev_rw_input_dev($1)
+ dev_rw_generic_usb_dev($1)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.6.12/policy/modules/system/init.fc
+--- nsaserefpolicy/policy/modules/system/init.fc 2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/init.fc 2009-05-26 09:15:52.000000000 -0400
+@@ -6,6 +6,8 @@
+ /etc/rc\.d/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
+ /etc/rc\.d/rc\.[^/]+ -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
++/etc/sysconfig/network-scripts/ifup-ipsec -- gen_context(system_u:object_r:initrc_exec_t,s0)
++
+ /etc/rc\.d/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
+ /etc/X11/prefdm -- gen_context(system_u:object_r:initrc_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.12/policy/modules/system/ipsec.te
+--- nsaserefpolicy/policy/modules/system/ipsec.te 2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/ipsec.te 2009-05-26 09:17:39.000000000 -0400
+@@ -348,6 +348,7 @@
+ files_read_etc_files(setkey_t)
+
+ init_dontaudit_use_fds(setkey_t)
++init_read_script_tmp_files(setkey_t)
+
+ # allow setkey to set the context for ipsec SAs and policy.
+ ipsec_setcontext_default_spd(setkey_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/selinux-policy.spec,v
retrieving revision 1.863
retrieving revision 1.864
diff -u -p -r1.863 -r1.864
--- selinux-policy.spec 22 May 2009 14:37:50 -0000 1.863
+++ selinux-policy.spec 26 May 2009 16:58:03 -0000 1.864
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.12
-Release: 41%{?dist}
+Release: 42%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -475,6 +475,10 @@ exit 0
%endif
%changelog
+* Tue May 26 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-42
+- New log file for vmware
+- Allow xdm to setattr on user_tmp_t
+
* Thu May 21 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-41
- Allow sysadm_t to connect to virt stream
More information about the scm-commits
mailing list