[selinux-policy/f16] - Add fixes for xguest package

Miroslav Grepl mgrepl at fedoraproject.org
Wed Dec 7 17:37:29 UTC 2011 

commit 7ced2aab744f2d7ebedb8ba8ce68d010fd503927
Author: Miroslav <mgrepl at redhat.com>
Date:   Wed Dec 7 18:37:09 2011 +0100

    - Add fixes for xguest package

 file_contexts.subs_dist |    1 +
 policy-F16.patch        |   48 ++++++++++++++++++++++++++++++++++------------
 selinux-policy.spec     |    5 +++-
 3 files changed, 40 insertions(+), 14 deletions(-)
---
diff --git a/file_contexts.subs_dist b/file_contexts.subs_dist
index 39171e2..427372c 100644
--- a/file_contexts.subs_dist
+++ b/file_contexts.subs_dist
@@ -4,3 +4,4 @@
 /lib64 /lib
 /usr/lib64 /usr/lib
 /etc/systemd/system /lib/systemd/system
+/var/lib/xguest/home /home
diff --git a/policy-F16.patch b/policy-F16.patch
index 3505dbf..c3ef4df 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -4417,7 +4417,7 @@ index 81fb26f..66cf96c 100644
  ## </summary>
  ## <param name="domain">
 diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 441cf22..cd9d876 100644
+index 441cf22..8d23813 100644
 --- a/policy/modules/admin/usermanage.te
 +++ b/policy/modules/admin/usermanage.te
 @@ -71,6 +71,7 @@ allow chfn_t self:unix_stream_socket connectto;
@@ -4573,17 +4573,23 @@ index 441cf22..cd9d876 100644
  
  files_manage_etc_files(useradd_t)
  files_search_var_lib(useradd_t)
-@@ -460,6 +476,7 @@ fs_search_auto_mountpoints(useradd_t)
+@@ -460,17 +476,15 @@ fs_search_auto_mountpoints(useradd_t)
  fs_getattr_xattr_fs(useradd_t)
  
  mls_file_upgrade(useradd_t)
 +mls_process_read_to_clearance(useradd_t)
  
- # Allow access to context for shadow file
- selinux_get_fs_mount(useradd_t)
-@@ -469,8 +486,8 @@ selinux_compute_create_context(useradd_t)
- selinux_compute_relabel_context(useradd_t)
- selinux_compute_user_contexts(useradd_t)
+-# Allow access to context for shadow file
+-selinux_get_fs_mount(useradd_t)
+-selinux_validate_context(useradd_t)
+-selinux_compute_access_vector(useradd_t)
+-selinux_compute_create_context(useradd_t)
+-selinux_compute_relabel_context(useradd_t)
+-selinux_compute_user_contexts(useradd_t)
++seutil_semanage_policy(useradd_t)
++seutil_manage_file_contexts(useradd_t)
++seutil_manage_config(useradd_t)
++seutil_manage_default_contexts(useradd_t)
  
 -term_use_all_ttys(useradd_t)
 -term_use_all_ptys(useradd_t)
@@ -4592,7 +4598,15 @@ index 441cf22..cd9d876 100644
  
  auth_domtrans_chk_passwd(useradd_t)
  auth_rw_lastlog(useradd_t)
-@@ -498,21 +515,11 @@ seutil_domtrans_setfiles(useradd_t)
+@@ -495,24 +509,19 @@ seutil_read_file_contexts(useradd_t)
+ seutil_read_default_contexts(useradd_t)
+ seutil_domtrans_semanage(useradd_t)
+ seutil_domtrans_setfiles(useradd_t)
++seutil_domtrans_loadpolicy(useradd_t)
++seutil_manage_bin_policy(useradd_t)
++seutil_manage_module_store(useradd_t)
++seutil_get_semanage_trans_lock(useradd_t)
++seutil_get_semanage_read_lock(useradd_t)
  
  userdom_use_unpriv_users_fds(useradd_t)
  # Add/remove user home directories
@@ -22855,10 +22869,10 @@ index 0000000..8b2cdf3
 +
 diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
 new file mode 100644
-index 0000000..4163dc5
+index 0000000..a03e788
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,442 @@
+@@ -0,0 +1,446 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@@ -22965,6 +22979,10 @@ index 0000000..4163dc5
 +usermanage_run_passwd(unconfined_t, unconfined_r)
 +usermanage_run_chfn(unconfined_t, unconfined_r)
 +
++optional_policy(`
++       usermanage_run_useradd(unconfined_t, unconfined_r)
++')
++
 +tunable_policy(`allow_execmem',`
 +	allow unconfined_t self:process execmem;
 +')
@@ -45526,7 +45544,7 @@ index e9c0982..14af30a 100644
 +	mysql_stream_connect($1)
  ')
 diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
-index 0a0d63c..fdd8615 100644
+index 0a0d63c..d86e78b 100644
 --- a/policy/modules/services/mysql.te
 +++ b/policy/modules/services/mysql.te
 @@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0)
@@ -45585,7 +45603,7 @@ index 0a0d63c..fdd8615 100644
  ')
  
  tunable_policy(`mysql_connect_any',`
-@@ -155,6 +159,7 @@ optional_policy(`
+@@ -155,9 +159,11 @@ optional_policy(`
  
  allow mysqld_safe_t self:capability { chown dac_override fowner kill };
  dontaudit mysqld_safe_t self:capability sys_ptrace;
@@ -45593,7 +45611,11 @@ index 0a0d63c..fdd8615 100644
  allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
  
  read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
-@@ -170,26 +175,33 @@ kernel_read_system_state(mysqld_safe_t)
++delete_sock_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
+ 
+ domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
+ 
+@@ -170,26 +176,33 @@ kernel_read_system_state(mysqld_safe_t)
  kernel_read_kernel_sysctls(mysqld_safe_t)
  
  corecmd_exec_bin(mysqld_safe_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9c4eb14..f7c9893 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 65%{?dist}
+Release: 66%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,9 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Tue Dec 7 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-66
+- Add fixes for xguest package 
+
 * Tue Dec 6 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-65
 - Allow abrt to getattr on blk files
 - Add type for rhev-agent log file

More information about the scm-commits mailing list