[selinux-policy/f18] * Tue Sep 25 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-25 - Fix boolean name so subs will conti
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Sep 25 20:00:28 UTC 2012
commit d53a7f6fe9f55e9c8d0f7460030f98a321c23002
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Sep 25 22:00:17 2012 +0200
* Tue Sep 25 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-25
- Fix boolean name so subs will continue to work
policy-rawhide.patch | 30 ++++++++----------
policy_contrib-rawhide.patch | 68 ++++++++++++++++++++++++------------------
segenman | 7 +---
selinux-policy.spec | 21 +++++++-----
4 files changed, 67 insertions(+), 59 deletions(-)
---
diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index ad1f04e..964ff7a 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -99793,7 +99793,7 @@ index f82f0ce..204bdc8 100644
/usr/sbin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
/usr/sbin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0)
diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
-index 98b8b2d..c7bdbdc 100644
+index 98b8b2d..1da87ac 100644
--- a/policy/modules/admin/usermanage.if
+++ b/policy/modules/admin/usermanage.if
@@ -17,10 +17,6 @@ interface(`usermanage_domtrans_chfn',`
@@ -99959,27 +99959,25 @@ index 98b8b2d..c7bdbdc 100644
')
########################################
-@@ -270,11 +319,39 @@ interface(`usermanage_domtrans_useradd',`
+@@ -270,11 +319,38 @@ interface(`usermanage_domtrans_useradd',`
#
interface(`usermanage_run_useradd',`
gen_require(`
- attribute_role useradd_roles;
+ #attribute_role useradd_roles;
-+ type sysadm_passwd_t;
++ type useradd_t;
')
-- usermanage_domtrans_useradd($1)
-- roleattribute $2 useradd_roles;
+ #usermanage_domtrans_useradd($1)
+ #roleattribute $2 useradd_roles;
+
-+ usermanage_domtrans_admin_passwd($1)
-+ role $2 types sysadm_passwd_t;
-+
-+ optional_policy(`
-+ nscd_run(sysadm_passwd_t, $2)
-+ ')
+ usermanage_domtrans_useradd($1)
+- roleattribute $2 useradd_roles;
++ role $2 types useradd_t;
+
++ optional_policy(`
++ nscd_run(sysadm_passwd_t, $2)
++ ')
+')
+
+########################################
@@ -114768,7 +114766,7 @@ index fc86b7c..ba6be42 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 130ced9..ff65b6f 100644
+index 130ced9..af3532c 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -114871,7 +114869,7 @@ index 130ced9..ff65b6f 100644
allow $2 xserver_tmpfs_t:file rw_file_perms;
')
+
-+ tunable_policy(`user_direct_dri',`
++ tunable_policy(`selinuxuser_direct_dri_enabled',`
+ dev_rw_dri($2)
+ ')
+
@@ -115067,7 +115065,7 @@ index 130ced9..ff65b6f 100644
allow $2 xserver_tmpfs_t:file rw_file_perms;
')
+
-+ tunable_policy(`user_direct_dri',`
++ tunable_policy(`selinuxuser_direct_dri_enabled',`
+ dev_rw_dri($2)
+ ')
')
@@ -116105,7 +116103,7 @@ index 130ced9..ff65b6f 100644
+ files_search_tmp($1)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index d40f750..10170d4 100644
+index d40f750..0a71fa1 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -116161,7 +116159,7 @@ index d40f750..10170d4 100644
+## Allow regular users direct dri device access
+## </p>
+## </desc>
-+gen_tunable(user_direct_dri, false)
++gen_tunable(selinuxuser_direct_dri_enabled, false)
+
+attribute xdmhomewriter;
+attribute x_userdomain;
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index e2346ae..fb640fa 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -15124,7 +15124,7 @@ index fb4bf82..126d543 100644
+ dontaudit $1 session_bus_type:dbus send_msg;
')
diff --git a/dbus.te b/dbus.te
-index 625cb32..47d33d3 100644
+index 625cb32..082afa9 100644
--- a/dbus.te
+++ b/dbus.te
@@ -10,6 +10,7 @@ gen_require(`
@@ -15239,18 +15239,17 @@ index 625cb32..47d33d3 100644
policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
-@@ -149,13 +180,157 @@ optional_policy(`
- sysnet_domtrans_dhcpc(system_dbusd_t)
+@@ -150,12 +181,156 @@ optional_policy(`
')
-+#optional_policy(`
+ optional_policy(`
+ systemd_use_fds_logind(system_dbusd_t)
+ systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
+ systemd_write_inhibit_pipes(system_dbusd_t)
+ systemd_start_power_services(system_dbusd_t)
-+#')
++')
+
- optional_policy(`
++optional_policy(`
udev_read_db(system_dbusd_t)
')
@@ -53573,10 +53572,15 @@ index a63e9ee..8910c44 100644
+ nis_use_ypbind(rpcbind_t)
+')
diff --git a/rpm.fc b/rpm.fc
-index b2a0b6a..6167fe8 100644
+index b2a0b6a..ee55335 100644
--- a/rpm.fc
+++ b/rpm.fc
-@@ -6,6 +6,7 @@
+@@ -2,10 +2,12 @@
+ /bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+ /usr/bin/debuginfo-install -- gen_context(system_u:object_r:debuginfo_exec_t,s0)
++/usr/bin/dnf -- gen_context(system_u:object_r:rpm_exec_t,s0)
+ /usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -53584,7 +53588,7 @@ index b2a0b6a..6167fe8 100644
/usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
-@@ -20,12 +21,18 @@
+@@ -20,12 +22,18 @@
/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
ifdef(`distro_redhat', `
@@ -53603,7 +53607,7 @@ index b2a0b6a..6167fe8 100644
')
/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
-@@ -36,9 +43,10 @@ ifdef(`distro_redhat', `
+@@ -36,9 +44,10 @@ ifdef(`distro_redhat', `
/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
@@ -65187,10 +65191,10 @@ index 2124b6a..e18ac1c 100644
+/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --git a/virt.if b/virt.if
-index 6f0736b..45bd376 100644
+index 6f0736b..d5b53ed 100644
--- a/virt.if
+++ b/virt.if
-@@ -13,39 +13,49 @@
+@@ -13,64 +13,61 @@
#
template(`virt_domain_template',`
gen_require(`
@@ -65249,7 +65253,13 @@ index 6f0736b..45bd376 100644
manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
-@@ -57,20 +67,6 @@ template(`virt_domain_template',`
+ manage_lnk_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
+- files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
++ files_tmp_filetrans($1_t, $1_tmp_t, { file dir lnk_file })
++ userdom_user_tmp_filetrans($1_t, $1_tmp_t, { dir file lnk_file })
+
+ manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
@@ -65270,7 +65280,7 @@ index 6f0736b..45bd376 100644
optional_policy(`
xserver_rw_shm($1_t)
')
-@@ -98,14 +94,32 @@ interface(`virt_image',`
+@@ -98,14 +95,32 @@ interface(`virt_image',`
dev_node($1)
')
@@ -65305,7 +65315,7 @@ index 6f0736b..45bd376 100644
## </param>
#
interface(`virt_domtrans',`
-@@ -116,9 +130,45 @@ interface(`virt_domtrans',`
+@@ -116,9 +131,45 @@ interface(`virt_domtrans',`
domtrans_pattern($1, virtd_exec_t, virtd_t)
')
@@ -65352,7 +65362,7 @@ index 6f0736b..45bd376 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -166,13 +216,13 @@ interface(`virt_attach_tun_iface',`
+@@ -166,13 +217,13 @@ interface(`virt_attach_tun_iface',`
#
interface(`virt_read_config',`
gen_require(`
@@ -65368,7 +65378,7 @@ index 6f0736b..45bd376 100644
')
########################################
-@@ -187,13 +237,13 @@ interface(`virt_read_config',`
+@@ -187,13 +238,13 @@ interface(`virt_read_config',`
#
interface(`virt_manage_config',`
gen_require(`
@@ -65384,7 +65394,7 @@ index 6f0736b..45bd376 100644
')
########################################
-@@ -233,6 +283,24 @@ interface(`virt_read_content',`
+@@ -233,6 +284,24 @@ interface(`virt_read_content',`
########################################
## <summary>
@@ -65409,7 +65419,7 @@ index 6f0736b..45bd376 100644
## Read virt PID files.
## </summary>
## <param name="domain">
-@@ -252,6 +320,28 @@ interface(`virt_read_pid_files',`
+@@ -252,6 +321,28 @@ interface(`virt_read_pid_files',`
########################################
## <summary>
@@ -65438,7 +65448,7 @@ index 6f0736b..45bd376 100644
## Manage virt pid files.
## </summary>
## <param name="domain">
-@@ -263,10 +353,42 @@ interface(`virt_read_pid_files',`
+@@ -263,10 +354,42 @@ interface(`virt_read_pid_files',`
interface(`virt_manage_pid_files',`
gen_require(`
type virt_var_run_t;
@@ -65481,7 +65491,7 @@ index 6f0736b..45bd376 100644
')
########################################
-@@ -310,6 +432,24 @@ interface(`virt_read_lib_files',`
+@@ -310,6 +433,24 @@ interface(`virt_read_lib_files',`
########################################
## <summary>
@@ -65506,7 +65516,7 @@ index 6f0736b..45bd376 100644
## Create, read, write, and delete
## virt lib files.
## </summary>
-@@ -354,9 +494,9 @@ interface(`virt_read_log',`
+@@ -354,9 +495,9 @@ interface(`virt_read_log',`
## virt log files.
## </summary>
## <param name="domain">
@@ -65518,7 +65528,7 @@ index 6f0736b..45bd376 100644
## </param>
#
interface(`virt_append_log',`
-@@ -390,6 +530,25 @@ interface(`virt_manage_log',`
+@@ -390,6 +531,25 @@ interface(`virt_manage_log',`
########################################
## <summary>
@@ -65544,7 +65554,7 @@ index 6f0736b..45bd376 100644
## Allow domain to read virt image files
## </summary>
## <param name="domain">
-@@ -410,6 +569,7 @@ interface(`virt_read_images',`
+@@ -410,6 +570,7 @@ interface(`virt_read_images',`
read_files_pattern($1, virt_image_type, virt_image_type)
read_lnk_files_pattern($1, virt_image_type, virt_image_type)
read_blk_files_pattern($1, virt_image_type, virt_image_type)
@@ -65552,7 +65562,7 @@ index 6f0736b..45bd376 100644
tunable_policy(`virt_use_nfs',`
fs_list_nfs($1)
-@@ -426,6 +586,24 @@ interface(`virt_read_images',`
+@@ -426,6 +587,24 @@ interface(`virt_read_images',`
########################################
## <summary>
@@ -65577,7 +65587,7 @@ index 6f0736b..45bd376 100644
## Create, read, write, and delete
## svirt cache files.
## </summary>
-@@ -435,15 +613,15 @@ interface(`virt_read_images',`
+@@ -435,15 +614,15 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
@@ -65598,7 +65608,7 @@ index 6f0736b..45bd376 100644
')
########################################
-@@ -468,18 +646,7 @@ interface(`virt_manage_images',`
+@@ -468,18 +647,7 @@ interface(`virt_manage_images',`
manage_files_pattern($1, virt_image_type, virt_image_type)
read_lnk_files_pattern($1, virt_image_type, virt_image_type)
rw_blk_files_pattern($1, virt_image_type, virt_image_type)
@@ -65618,7 +65628,7 @@ index 6f0736b..45bd376 100644
')
########################################
-@@ -502,10 +669,19 @@ interface(`virt_manage_images',`
+@@ -502,10 +670,19 @@ interface(`virt_manage_images',`
interface(`virt_admin',`
gen_require(`
type virtd_t, virtd_initrc_exec_t;
@@ -65639,7 +65649,7 @@ index 6f0736b..45bd376 100644
init_labeled_script_domtrans($1, virtd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -517,4 +693,295 @@ interface(`virt_admin',`
+@@ -517,4 +694,295 @@ interface(`virt_admin',`
virt_manage_lib_files($1)
virt_manage_log($1)
diff --git a/segenman b/segenman
index 6acd55d..3d234a7 100755
--- a/segenman
+++ b/segenman
@@ -897,8 +897,8 @@ if __name__ == '__main__':
import argparse
parser = argparse.ArgumentParser(description='Generate SELinux man pages')
- parser.add_argument("-p", "--path", dest="path", required=True, default="/tmp", help="Path for SELinux man pages")
- parser.add_argument("-r", "--version", dest="os_version", default="Fedora18",help="Version of OS")
+ parser.add_argument("-p", "--path", dest="path", default="/tmp", help="Path for SELinux man pages")
+ parser.add_argument("-v", "--version", dest="os_version", default="Fedora18",help="Version of OS")
parser.add_argument("-l", "--list", dest="test_domains", default="", nargs="+", help="List of domains")
try:
@@ -907,9 +907,6 @@ if __name__ == '__main__':
os_version = args.os_version
path = args.path
- print os_version
- print path
-
if len(args.test_domains) == 0:
test_domains = domains
else:
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f0a3908..0942879 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 24%{?dist}
+Release: 25%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -521,7 +521,10 @@ SELinux Reference policy mls base module.
%endif
%changelog
-* Tue Sep 25 2012 Miroslav Grepl <mgreplh at redhat.com> 3.11.1-24
+* Tue Sep 25 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-25
+- Fix boolean name so subs will continue to work
+
+* Tue Sep 25 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-24
- dbus needs to start getty unit files
- Add interface to allow system_dbusd_t to start the poweroff service
- xdm wants to exec telepathy apps
@@ -532,7 +535,7 @@ SELinux Reference policy mls base module.
- realmd needs to read /dev/urand
- Allow readahead to delete /.readahead if labeled root_t, might get created before policy is loaded
-* Thu Sep 20 2012 Miroslav Grepl <mgreplh at redhat.com> 3.11.1-23
+* Thu Sep 20 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-23
- Fixes to safe more rules
- Re-write tomcat_domain_template()
- Fix passenger labeling
@@ -540,7 +543,7 @@ SELinux Reference policy mls base module.
- Add ephemeral_port_t to the 'generic' port interfaces
- Fix the names of postgresql booleans
-* Tue Sep 18 2012 Miroslav Grepl <mgreplh at redhat.com> 3.11.1-22
+* Tue Sep 18 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-22
- Stop using attributes form netlabel_peer and syslog, auth_use_nsswitch setsup netlabel_peer
- Move netlable_peer check out of booleans
- Remove call to recvfrom_netlabel for kerberos call
@@ -556,7 +559,7 @@ SELinux Reference policy mls base module.
- Allow stapserver to search cgroups directories
- Allow all postfix domains to talk to spamd
-* Mon Sep 17 2012 Miroslav Grepl <mgreplh at redhat.com> 3.11.1-21
+* Mon Sep 17 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-21
- Add interfaces to ignore setattr until kernel fixes this to be checked after the DAC check
- Change pam_t to pam_timestamp_t
- Add dovecot_domain attribute and allow this attribute block_suspend capability2
@@ -566,17 +569,17 @@ SELinux Reference policy mls base module.
- Make piranha-pulse as initrc domain
- Update openshift instances to dontaudit setattr until the kernel is fixed.
-* Fri Sep 14 2012 Miroslav Grepl <mgreplh at redhat.com> 3.11.1-20
+* Fri Sep 14 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-20
- Fix auth_login_pgm_domain() interface to allow domains also managed user tmp dirs because of #856880 related to pam_systemd
- Remove pam_selinux.8 which conflicts with man page owned by the pam package
- Allow glance-api to talk to mysql
- ABRT wants to read Xorg.0.log if if it detects problem with Xorg
- Fix gstreamer filename trans. interface
-* Thu Sep 13 2012 Miroslav Grepl <mgreplh at redhat.com> 3.11.1-19
+* Thu Sep 13 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-19
- Man page fixes by Dan Walsh
-* Tue Sep 11 2012 Miroslav Grepl <mgreplh at redhat.com> 3.11.1-18
+* Tue Sep 11 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-18
- Allow postalias to read postfix config files
- Allow man2html to read man pages
- Allow rhev-agentd to search all mountpoints
@@ -588,7 +591,7 @@ SELinux Reference policy mls base module.
- Fix /dev/twa labeling
- Allow systemd to read modules config
-* Mon Sep 10 2012 Miroslav Grepl <mgreplh at redhat.com> 3.11.1-17
+* Mon Sep 10 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-17
- Merge openshift policy
- Allow xauth to read /dev/urandom
- systemd needs to relabel content in /run/systemd directories
More information about the scm-commits
mailing list