[selinux-policy/f13/master] - Add label for /var/cache/rpcbind directory - Add chrome_role for xguest - Fix amavis_read_spool_fi

Miroslav Grepl mgrepl at fedoraproject.org
Fri Aug 20 12:39:18 UTC 2010 

commit 5405afb3d0290e0edc5f1bdd46edb4f6a3a1e9b5
Author: Miroslav Grepl <mgrepl at redhat.com>
Date:   Fri Aug 20 14:38:57 2010 +0200

    - Add label for /var/cache/rpcbind directory
    - Add chrome_role for xguest
    - Fix amavis_read_spool_files interface

 policy-F13.patch    |  107 +++++++++++++++++++++++++++++++++++++--------------
 selinux-policy.spec |    7 +++-
 2 files changed, 84 insertions(+), 30 deletions(-)
---
diff --git a/policy-F13.patch b/policy-F13.patch
index 56a73e6..a954e02 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -8390,7 +8390,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se
  ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc	2010-08-04 15:16:45.690085499 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc	2010-08-20 13:57:30.568084981 +0200
 @@ -9,8 +9,10 @@
  /bin/bash2			--	gen_context(system_u:object_r:shell_exec_t,s0)
  /bin/fish			--	gen_context(system_u:object_r:shell_exec_t,s0)
@@ -8412,7 +8412,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
  
  /etc/cron.daily(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  /etc/cron.hourly(/.*)?			gen_context(system_u:object_r:bin_t,s0)
-@@ -70,6 +73,12 @@
+@@ -65,11 +68,20 @@
+ 
+ /etc/init\.d/functions		--	gen_context(system_u:object_r:bin_t,s0)
+ 
++/etc/kde/env(/.*)?				gen_context(system_u:object_r:bin_t,s0)
++/etc/kde/shutdown(/.*)?			gen_context(system_u:object_r:bin_t,s0)
++
+ /etc/mail/make			--	gen_context(system_u:object_r:bin_t,s0)
+ /etc/mgetty\+sendfax/new_fax	--	gen_context(system_u:object_r:bin_t,s0)
  
  /etc/netplug\.d(/.*)? 	 		gen_context(system_u:object_r:bin_t,s0)
  
@@ -8425,7 +8433,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
  /etc/ppp/ip-down\..*		--	gen_context(system_u:object_r:bin_t,s0)
  /etc/ppp/ip-up\..*		--	gen_context(system_u:object_r:bin_t,s0)
  /etc/ppp/ipv6-up\..*		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -147,6 +156,9 @@
+@@ -147,6 +159,9 @@
  /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
  ')
  
@@ -8435,7 +8443,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
  #
  # /usr
  #
-@@ -189,7 +201,8 @@
+@@ -189,7 +204,8 @@
  /usr/lib(64)?/debug/bin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib(64)?/debug/sbin(/.*)? --	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib(64)?/debug/usr/bin(/.*)? --	gen_context(system_u:object_r:bin_t,s0)
@@ -8445,7 +8453,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
  
  /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0)
  /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0)
-@@ -216,11 +229,17 @@
+@@ -216,11 +232,17 @@
  
  /usr/share/apr-0/build/[^/]+\.sh --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/apr-0/build/libtool --	gen_context(system_u:object_r:bin_t,s0)
@@ -8463,7 +8471,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
  /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -240,6 +259,7 @@
+@@ -240,6 +262,7 @@
  /usr/share/shorewall-shell(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/shorewall-lite(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/shorewall6-lite(/.*)?	gen_context(system_u:object_r:bin_t,s0)
@@ -8471,7 +8479,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
  /usr/share/turboprint/lib(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/vhostmd/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  
-@@ -297,6 +317,7 @@
+@@ -297,6 +320,7 @@
  /usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -8479,7 +8487,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
  /usr/share/system-config-services/serviceconf\.py -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/system-config-services/system-config-services -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/system-config-soundcard/system-config-soundcard -- gen_context(system_u:object_r:bin_t,s0)
-@@ -331,3 +352,21 @@
+@@ -331,3 +355,21 @@
  ifdef(`distro_suse',`
  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
  ')
@@ -13225,7 +13233,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.7.19/policy/modules/roles/xguest.te
 --- nsaserefpolicy/policy/modules/roles/xguest.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/roles/xguest.te	2010-08-09 15:04:33.114085099 +0200
++++ serefpolicy-3.7.19/policy/modules/roles/xguest.te	2010-08-20 13:55:45.358085064 +0200
 @@ -15,7 +15,7 @@
  
  ## <desc>
@@ -13284,16 +13292,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.
  	')
  ')
  
-@@ -81,19 +89,75 @@
+@@ -81,19 +89,79 @@
  ')
  
  optional_policy(`
 -	java_role(xguest_r, xguest_t)
 +	apache_role(xguest_r, xguest_t)
-+')
-+
-+optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	mozilla_role(xguest_r, xguest_t)
 +	gnomeclock_dontaudit_dbus_chat(xguest_t)
+ ')
+ 
+ optional_policy(`
++	chrome_role(xguest_r, xguest_usertype)
 +')
 +
 +optional_policy(`
@@ -13302,18 +13315,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.
 +
 +optional_policy(`
 +	mono_role_template(xguest, xguest_r, xguest_t)
- ')
- 
- optional_policy(`
--	mozilla_role(xguest_r, xguest_t)
++')
++
++optional_policy(`
 +	nsplugin_role(xguest_r, xguest_t)
- ')
- 
++')
++
 +#optional_policy(`
 +#    	telepathy_dbus_session_role(xguest_r, xguest_t)
 +#')
 +
- optional_policy(`
++optional_policy(`
  	tunable_policy(`xguest_connect_network',`
 +		kernel_read_network_state(xguest_usertype)
 +
@@ -13351,19 +13363,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.
 +		corenet_tcp_sendrecv_transproxy_port(xguest_usertype)
 +		corenet_tcp_connect_transproxy_port(xguest_usertype)
 +		corenet_tcp_connect_jabber_client_port(xguest_usertype)
- 	')
- ')
- 
--#gen_user(xguest_u,, xguest_r, s0, s0)
++	')
++')
++
 +optional_policy(`
 +	gen_require(`
 +		type mozilla_t;
-+	')
+ 	')
 +
 +	allow xguest_t mozilla_t:process transition;
 +	role xguest_r types mozilla_t;
-+')
-+
+ ')
+ 
+-#gen_user(xguest_u,, xguest_r, s0, s0)
 +gen_user(xguest_u, user, xguest_r, s0, s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.7.19/policy/modules/services/abrt.fc
 --- nsaserefpolicy/policy/modules/services/abrt.fc	2010-04-13 20:44:37.000000000 +0200
@@ -14401,6 +14413,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise
 +
 +userdom_rw_semaphores(aisexec_t)
 +userdom_rw_unpriv_user_shared_mem(aisexec_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.if serefpolicy-3.7.19/policy/modules/services/amavis.if
+--- nsaserefpolicy/policy/modules/services/amavis.if	2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/amavis.if	2010-08-20 13:59:09.305084875 +0200
+@@ -56,7 +56,7 @@
+ 	')
+ 
+ 	files_search_spool($1)
+-	allow $1 amavis_spool_t:file read_file_perms;
++	read_files_pattern($1, amavis_spool_t, amavis_spool_t)
+ ')
+ 
+ ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.7.19/policy/modules/services/apache.fc
 --- nsaserefpolicy/policy/modules/services/apache.fc	2010-04-13 20:44:37.000000000 +0200
 +++ serefpolicy-3.7.19/policy/modules/services/apache.fc	2010-07-13 09:55:52.782503046 +0200
@@ -16020,8 +16044,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.7.19/policy/modules/services/boinc.te
 --- nsaserefpolicy/policy/modules/services/boinc.te	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/boinc.te	2010-08-13 07:57:07.812101911 +0200
-@@ -0,0 +1,151 @@
++++ serefpolicy-3.7.19/policy/modules/services/boinc.te	2010-08-20 13:54:00.869085496 +0200
+@@ -0,0 +1,153 @@
 +
 +policy_module(boinc,1.0.0)
 +
@@ -16083,6 +16107,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
 +manage_files_pattern(boinc_t, boinc_var_lib_t,  boinc_var_lib_t)
 +files_var_lib_filetrans(boinc_t, boinc_var_lib_t, { file dir } )
 +
++allow boinc_t boinc_project_t:process sigkill;
++
 +manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
 +manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
 +
@@ -30163,6 +30189,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlog
  
  remotelogin_domtrans(rlogind_t)
  remotelogin_signal(rlogind_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.fc serefpolicy-3.7.19/policy/modules/services/rpcbind.fc
+--- nsaserefpolicy/policy/modules/services/rpcbind.fc	2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/rpcbind.fc	2010-08-20 13:48:39.185084889 +0200
+@@ -2,6 +2,7 @@
+ 
+ /sbin/rpcbind		--	gen_context(system_u:object_r:rpcbind_exec_t,s0)
+ 
++/var/cache/rpcbind(/.*)?      gen_context(system_u:object_r:rpcbind_var_lib_t,s0)
+ /var/lib/rpcbind(/.*)?		gen_context(system_u:object_r:rpcbind_var_lib_t,s0)
+ 
+ /var/run/rpc.statd\.pid	--	gen_context(system_u:object_r:rpcbind_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.7.19/policy/modules/services/rpcbind.if
 --- nsaserefpolicy/policy/modules/services/rpcbind.if	2010-04-13 20:44:37.000000000 +0200
 +++ serefpolicy-3.7.19/policy/modules/services/rpcbind.if	2010-06-25 15:10:52.796137763 +0200
@@ -35345,6 +35382,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  	')
  
  	optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.7.19/policy/modules/system/authlogin.te
+--- nsaserefpolicy/policy/modules/system/authlogin.te	2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/system/authlogin.te	2010-08-20 13:51:57.715085006 +0200
+@@ -84,7 +84,7 @@
+ 
+ allow chkpwd_t self:capability { dac_override setuid };
+ dontaudit chkpwd_t self:capability sys_tty_config;
+-allow chkpwd_t self:process getattr;
++allow chkpwd_t self:process { getattr signal };
+ 
+ allow chkpwd_t shadow_t:file read_file_perms;
+ files_list_etc(chkpwd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.if serefpolicy-3.7.19/policy/modules/system/daemontools.if
 --- nsaserefpolicy/policy/modules/system/daemontools.if	2010-04-13 20:44:37.000000000 +0200
 +++ serefpolicy-3.7.19/policy/modules/system/daemontools.if	2010-05-28 09:42:00.211610814 +0200
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 80aab73..647c862 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.7.19
-Release: 48%{?dist}
+Release: 49%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,11 @@ exit 0
 %endif
 
 %changelog
+* Fri Aug 20 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-49
+- Add label for /var/cache/rpcbind directory
+- Add chrome_role for xguest
+- Fix amavis_read_spool_files interface
+
 * Wed Aug 18 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-48
 - Fixes for shorewall policy
 - Allow sssd chown capability

More information about the scm-commits mailing list