[selinux-policy/f13/master] - Add label for /var/cache/rpcbind directory - Add chrome_role for xguest - Fix amavis_read_spool_fi
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Aug 20 12:39:18 UTC 2010
commit 5405afb3d0290e0edc5f1bdd46edb4f6a3a1e9b5
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Aug 20 14:38:57 2010 +0200
- Add label for /var/cache/rpcbind directory
- Add chrome_role for xguest
- Fix amavis_read_spool_files interface
policy-F13.patch | 107 +++++++++++++++++++++++++++++++++++++--------------
selinux-policy.spec | 7 +++-
2 files changed, 84 insertions(+), 30 deletions(-)
---
diff --git a/policy-F13.patch b/policy-F13.patch
index 56a73e6..a954e02 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -8390,7 +8390,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc 2010-08-04 15:16:45.690085499 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc 2010-08-20 13:57:30.568084981 +0200
@@ -9,8 +9,10 @@
/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -8412,7 +8412,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/etc/cron.daily(/.*)? gen_context(system_u:object_r:bin_t,s0)
/etc/cron.hourly(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -70,6 +73,12 @@
+@@ -65,11 +68,20 @@
+
+ /etc/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
+
++/etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
++
+ /etc/mail/make -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/mgetty\+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0)
/etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -8425,7 +8433,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/etc/ppp/ip-down\..* -- gen_context(system_u:object_r:bin_t,s0)
/etc/ppp/ip-up\..* -- gen_context(system_u:object_r:bin_t,s0)
/etc/ppp/ipv6-up\..* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -147,6 +156,9 @@
+@@ -147,6 +159,9 @@
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -8435,7 +8443,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
#
# /usr
#
-@@ -189,7 +201,8 @@
+@@ -189,7 +204,8 @@
/usr/lib(64)?/debug/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -8445,7 +8453,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0)
-@@ -216,11 +229,17 @@
+@@ -216,11 +232,17 @@
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
@@ -8463,7 +8471,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -240,6 +259,7 @@
+@@ -240,6 +262,7 @@
/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -8471,7 +8479,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -297,6 +317,7 @@
+@@ -297,6 +320,7 @@
/usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -8479,7 +8487,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/share/system-config-services/serviceconf\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-services/system-config-services -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-soundcard/system-config-soundcard -- gen_context(system_u:object_r:bin_t,s0)
-@@ -331,3 +352,21 @@
+@@ -331,3 +355,21 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -13225,7 +13233,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.7.19/policy/modules/roles/xguest.te
--- nsaserefpolicy/policy/modules/roles/xguest.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/roles/xguest.te 2010-08-09 15:04:33.114085099 +0200
++++ serefpolicy-3.7.19/policy/modules/roles/xguest.te 2010-08-20 13:55:45.358085064 +0200
@@ -15,7 +15,7 @@
## <desc>
@@ -13284,16 +13292,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.
')
')
-@@ -81,19 +89,75 @@
+@@ -81,19 +89,79 @@
')
optional_policy(`
- java_role(xguest_r, xguest_t)
+ apache_role(xguest_r, xguest_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- mozilla_role(xguest_r, xguest_t)
+ gnomeclock_dontaudit_dbus_chat(xguest_t)
+ ')
+
+ optional_policy(`
++ chrome_role(xguest_r, xguest_usertype)
+')
+
+optional_policy(`
@@ -13302,18 +13315,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.
+
+optional_policy(`
+ mono_role_template(xguest, xguest_r, xguest_t)
- ')
-
- optional_policy(`
-- mozilla_role(xguest_r, xguest_t)
++')
++
++optional_policy(`
+ nsplugin_role(xguest_r, xguest_t)
- ')
-
++')
++
+#optional_policy(`
+# telepathy_dbus_session_role(xguest_r, xguest_t)
+#')
+
- optional_policy(`
++optional_policy(`
tunable_policy(`xguest_connect_network',`
+ kernel_read_network_state(xguest_usertype)
+
@@ -13351,19 +13363,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.
+ corenet_tcp_sendrecv_transproxy_port(xguest_usertype)
+ corenet_tcp_connect_transproxy_port(xguest_usertype)
+ corenet_tcp_connect_jabber_client_port(xguest_usertype)
- ')
- ')
-
--#gen_user(xguest_u,, xguest_r, s0, s0)
++ ')
++')
++
+optional_policy(`
+ gen_require(`
+ type mozilla_t;
-+ ')
+ ')
+
+ allow xguest_t mozilla_t:process transition;
+ role xguest_r types mozilla_t;
-+')
-+
+ ')
+
+-#gen_user(xguest_u,, xguest_r, s0, s0)
+gen_user(xguest_u, user, xguest_r, s0, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.7.19/policy/modules/services/abrt.fc
--- nsaserefpolicy/policy/modules/services/abrt.fc 2010-04-13 20:44:37.000000000 +0200
@@ -14401,6 +14413,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise
+
+userdom_rw_semaphores(aisexec_t)
+userdom_rw_unpriv_user_shared_mem(aisexec_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.if serefpolicy-3.7.19/policy/modules/services/amavis.if
+--- nsaserefpolicy/policy/modules/services/amavis.if 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/amavis.if 2010-08-20 13:59:09.305084875 +0200
+@@ -56,7 +56,7 @@
+ ')
+
+ files_search_spool($1)
+- allow $1 amavis_spool_t:file read_file_perms;
++ read_files_pattern($1, amavis_spool_t, amavis_spool_t)
+ ')
+
+ ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.7.19/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/apache.fc 2010-07-13 09:55:52.782503046 +0200
@@ -16020,8 +16044,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.7.19/policy/modules/services/boinc.te
--- nsaserefpolicy/policy/modules/services/boinc.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/boinc.te 2010-08-13 07:57:07.812101911 +0200
-@@ -0,0 +1,151 @@
++++ serefpolicy-3.7.19/policy/modules/services/boinc.te 2010-08-20 13:54:00.869085496 +0200
+@@ -0,0 +1,153 @@
+
+policy_module(boinc,1.0.0)
+
@@ -16083,6 +16107,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
+files_var_lib_filetrans(boinc_t, boinc_var_lib_t, { file dir } )
+
++allow boinc_t boinc_project_t:process sigkill;
++
+manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+
@@ -30163,6 +30189,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlog
remotelogin_domtrans(rlogind_t)
remotelogin_signal(rlogind_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.fc serefpolicy-3.7.19/policy/modules/services/rpcbind.fc
+--- nsaserefpolicy/policy/modules/services/rpcbind.fc 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/rpcbind.fc 2010-08-20 13:48:39.185084889 +0200
+@@ -2,6 +2,7 @@
+
+ /sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0)
+
++/var/cache/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0)
+ /var/lib/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0)
+
+ /var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.7.19/policy/modules/services/rpcbind.if
--- nsaserefpolicy/policy/modules/services/rpcbind.if 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/rpcbind.if 2010-06-25 15:10:52.796137763 +0200
@@ -35345,6 +35382,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.7.19/policy/modules/system/authlogin.te
+--- nsaserefpolicy/policy/modules/system/authlogin.te 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/system/authlogin.te 2010-08-20 13:51:57.715085006 +0200
+@@ -84,7 +84,7 @@
+
+ allow chkpwd_t self:capability { dac_override setuid };
+ dontaudit chkpwd_t self:capability sys_tty_config;
+-allow chkpwd_t self:process getattr;
++allow chkpwd_t self:process { getattr signal };
+
+ allow chkpwd_t shadow_t:file read_file_perms;
+ files_list_etc(chkpwd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.if serefpolicy-3.7.19/policy/modules/system/daemontools.if
--- nsaserefpolicy/policy/modules/system/daemontools.if 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/system/daemontools.if 2010-05-28 09:42:00.211610814 +0200
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 80aab73..647c862 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 48%{?dist}
+Release: 49%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,11 @@ exit 0
%endif
%changelog
+* Fri Aug 20 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-49
+- Add label for /var/cache/rpcbind directory
+- Add chrome_role for xguest
+- Fix amavis_read_spool_files interface
+
* Wed Aug 18 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-48
- Fixes for shorewall policy
- Allow sssd chown capability
More information about the scm-commits
mailing list