rpms/selinux-policy/F-12 policy-20100106.patch, 1.14, 1.15 selinux-policy.spec, 1.1003, 1.1004
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Jan 25 17:00:28 UTC 2010
Author: mgrepl
Update of /cvs/pkgs/rpms/selinux-policy/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv707
Modified Files:
policy-20100106.patch selinux-policy.spec
Log Message:
- Allow xenstored to manage files on on a XENFS filesystem
- Allow cupsd to setattr on a fonts cache directory
- Allot smolt-client to send system log messages
policy-20100106.patch:
modules/admin/smoltclient.te | 2
modules/apps/gnome.fc | 8 ++
modules/apps/gnome.if | 24 ++++----
modules/apps/gnome.te | 6 +-
modules/apps/gpg.fc | 2
modules/apps/gpg.te | 5 -
modules/apps/mozilla.fc | 1
modules/apps/nsplugin.fc | 1
modules/apps/podsleuth.te | 1
modules/apps/sandbox.if | 50 ++++++++++++++---
modules/apps/sandbox.te | 39 +++++++------
modules/apps/vmware.if | 18 ++++++
modules/apps/wine.if | 4 +
modules/apps/wine.te | 14 ++++
modules/kernel/corenetwork.te.in | 4 -
modules/kernel/devices.fc | 2
modules/kernel/devices.if | 18 ++++++
modules/kernel/devices.te | 6 ++
modules/roles/unconfineduser.fc | 2
modules/roles/unconfineduser.te | 2
modules/roles/xguest.te | 2
modules/services/abrt.te | 1
modules/services/afs.te | 6 +-
modules/services/apache.if | 26 ++++++++
modules/services/apache.te | 2
modules/services/apcupsd.te | 2
modules/services/avahi.fc | 2
modules/services/cups.te | 2
modules/services/dovecot.te | 4 +
modules/services/fail2ban.if | 18 ++++++
modules/services/ftp.if | 37 ++++++++++++
modules/services/ftp.te | 114 +++++++++++++++++++++++++++++++++++++++
modules/services/git.fc | 3 +
modules/services/git.if | 8 +-
modules/services/git.te | 5 +
modules/services/kerberos.if | 2
modules/services/mailman.te | 1
modules/services/memcached.te | 14 +++-
modules/services/nagios.fc | 40 +++++++++++++
modules/services/nagios.te | 7 ++
modules/services/openvpn.te | 1
modules/services/plymouth.te | 27 +++++----
modules/services/postfix.te | 5 +
modules/services/samba.te | 5 +
modules/services/sendmail.te | 2
modules/services/snmp.te | 4 -
modules/services/spamassassin.if | 18 ++++++
modules/services/ssh.te | 80 +--------------------------
modules/services/sssd.fc | 2
modules/services/sssd.if | 85 +++++++++++++++++------------
modules/services/sssd.te | 14 +++-
modules/services/tftp.te | 1
modules/services/virt.te | 4 +
modules/services/xserver.fc | 4 +
modules/services/xserver.te | 3 +
modules/system/hotplug.te | 4 +
modules/system/init.te | 5 +
modules/system/iscsi.fc | 2
modules/system/iscsi.te | 4 +
modules/system/libraries.fc | 8 ++
modules/system/locallogin.te | 5 +
modules/system/miscfiles.if | 37 ++++++++++++
modules/system/mount.te | 5 +
modules/system/selinuxutil.te | 1
modules/system/unconfined.if | 2
modules/system/userdomain.fc | 1
modules/system/userdomain.if | 18 ++++++
modules/system/xen.te | 7 ++
support/obj_perm_sets.spt | 2
users | 2
70 files changed, 667 insertions(+), 196 deletions(-)
Index: policy-20100106.patch
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-12/policy-20100106.patch,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -p -r1.14 -r1.15
--- policy-20100106.patch 22 Jan 2010 16:37:43 -0000 1.14
+++ policy-20100106.patch 25 Jan 2010 17:00:28 -0000 1.15
@@ -1,3 +1,15 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.6.32/policy/modules/admin/smoltclient.te
+--- nsaserefpolicy/policy/modules/admin/smoltclient.te 2010-01-18 18:24:22.573543214 +0100
++++ serefpolicy-3.6.32/policy/modules/admin/smoltclient.te 2010-01-25 11:03:49.548441857 +0100
+@@ -48,6 +48,8 @@
+ files_read_etc_files(smoltclient_t)
+ files_read_usr_files(smoltclient_t)
+
++logging_send_syslog_msg(smoltclient_t)
++
+ miscfiles_read_localization(smoltclient_t)
+
+ optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.6.32/policy/modules/apps/gnome.fc
--- nsaserefpolicy/policy/modules/apps/gnome.fc 2010-01-18 18:24:22.594539949 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/gnome.fc 2010-01-21 18:31:02.867611919 +0100
@@ -383,6 +395,34 @@ diff -b -B --ignore-all-space --exclude-
dbus_system_bus_client(sandbox_net_client_t)
dbus_read_config(sandbox_net_client_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.6.32/policy/modules/apps/vmware.if
+--- nsaserefpolicy/policy/modules/apps/vmware.if 2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/apps/vmware.if 2010-01-25 17:40:10.448685801 +0100
+@@ -30,6 +30,24 @@
+ allow $2 vmware_t:process signal;
+ ')
+
++#######################################
++## <summary>
++## Execute vmware host executables
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`vmware_exec_host',`
++ gen_require(`
++ type vmware_host_exec_t;
++ ')
++
++ can_exec($1, vmware_host_exec_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Read VMWare system configuration files.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.6.32/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if 2010-01-18 18:24:22.657540000 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/wine.if 2010-01-18 18:27:02.744541291 +0100
@@ -658,8 +698,16 @@ diff -b -B --ignore-all-space --exclude-
+/var/lib/avahi-autoipd(/.*)? gen_context(system_u:object_r:avahi_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.32/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2010-01-18 18:24:22.771540183 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/cups.te 2010-01-18 18:27:02.758531199 +0100
-@@ -555,6 +555,7 @@
++++ serefpolicy-3.6.32/policy/modules/services/cups.te 2010-01-25 17:36:13.178435741 +0100
+@@ -265,6 +265,7 @@
+ # invoking ghostscript needs to read fonts
+ miscfiles_read_fonts(cupsd_t)
+ miscfiles_setattr_fonts_dirs(cupsd_t)
++miscfiles_setattr_fonts_cache_dirs(cupsd_t)
+
+ seutil_read_config(cupsd_t)
+ sysnet_exec_ifconfig(cupsd_t)
+@@ -555,6 +556,7 @@
logging_send_syslog_msg(cupsd_lpd_t)
miscfiles_read_localization(cupsd_lpd_t)
@@ -1944,7 +1992,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.32/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2010-01-18 18:24:22.961540534 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/mount.te 2010-01-18 18:27:02.788530824 +0100
++++ serefpolicy-3.6.32/policy/modules/system/mount.te 2010-01-25 17:40:43.288687056 +0100
@@ -181,6 +181,7 @@
auth_read_all_dirs_except_shadow(mount_t)
auth_read_all_files_except_shadow(mount_t)
@@ -1953,6 +2001,17 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
+@@ -260,6 +261,10 @@
+ samba_read_config(mount_t)
+ ')
+
++optional_policy(`
++ vmware_exec_host(mount_t)
++')
++
+ ########################################
+ #
+ # Unconfined mount local policy
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.32/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-01-18 18:24:22.967540599 +0100
+++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.te 2010-01-18 18:27:02.789530951 +0100
@@ -2015,7 +2074,7 @@ diff -b -B --ignore-all-space --exclude-
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.32/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2010-01-18 18:24:22.987540070 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/xen.te 2010-01-18 18:27:02.796530655 +0100
++++ serefpolicy-3.6.32/policy/modules/system/xen.te 2010-01-25 17:55:42.768687784 +0100
@@ -248,6 +248,7 @@
#
@@ -2043,6 +2102,14 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# Xen store local policy
+@@ -329,6 +335,7 @@
+
+ files_read_usr_files(xenstored_t)
+
++fs_manage_xenfs_files(xenstored_t)
+ fs_search_xenfs(xenstored_t)
+
+ storage_raw_read_fixed_disk(xenstored_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.32/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2010-01-18 18:24:22.988541733 +0100
+++ serefpolicy-3.6.32/policy/support/obj_perm_sets.spt 2010-01-18 18:27:02.798533004 +0100
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-12/selinux-policy.spec,v
retrieving revision 1.1003
retrieving revision 1.1004
diff -u -p -r1.1003 -r1.1004
--- selinux-policy.spec 22 Jan 2010 16:37:43 -0000 1.1003
+++ selinux-policy.spec 25 Jan 2010 17:00:28 -0000 1.1004
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 76%{?dist}
+Release: 77%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -456,6 +456,11 @@ exit 0
%endif
%changelog
+* Mon Jan 25 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-77
+- Allow xenstored to manage files on on a XENFS filesystem
+- Allow cupsd to setattr on a fonts cache directory
+- Allot smolt-client to send system log messages
+
* Fri Jan 22 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-76
- Add labeling for gitweb
- Allow plymouth to read and write the /dev/ptmx
More information about the scm-commits
mailing list