[selinux-policy/f17] * Thu Sep 27 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-151 - Allow winbind to connect do ldap w

Miroslav Grepl mgrepl at fedoraproject.org
Thu Sep 27 17:07:13 UTC 2012 

commit ddb8061c6ddd40bdec1e502b79b5e86b28ea4543
Author: Miroslav Grepl <mgrepl at redhat.com>
Date:   Thu Sep 27 19:06:55 2012 +0200

    * Thu Sep 27 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-151
    - Allow winbind to connect do ldap without a boolean
    - Allow mozilla-plugin to connect to commplex port
    - Fix tomcat template interface
    - Allow thumb to use user fonts

 policy-F16.patch    |   46 +++++++++++++++++++++++++++++-----------------
 selinux-policy.spec |    8 +++++++-
 2 files changed, 36 insertions(+), 18 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 4f509ef..a9e88cb 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -72195,7 +72195,7 @@ index fbb5c5a..67c1168 100644
 +')
 +
 diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..4476c7f 100644
+index 2e9318b..67eb88c 100644
 --- a/policy/modules/apps/mozilla.te
 +++ b/policy/modules/apps/mozilla.te
 @@ -7,11 +7,25 @@ policy_module(mozilla, 2.3.3)
@@ -72384,7 +72384,7 @@ index 2e9318b..4476c7f 100644
  
  manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
  manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
-@@ -322,31 +354,49 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
+@@ -322,31 +354,50 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
  manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
  fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
  
@@ -72428,6 +72428,7 @@ index 2e9318b..4476c7f 100644
 +corenet_tcp_connect_streaming_port(mozilla_plugin_t)
 +corenet_tcp_connect_soundd_port(mozilla_plugin_t)
 +corenet_tcp_connect_vnc_port(mozilla_plugin_t)
++corenet_tcp_connect_commplex_port(mozilla_plugin_t)
 +corenet_tcp_connect_couchdb_port(mozilla_plugin_t)
 +corenet_tcp_connect_monopd_port(mozilla_plugin_t)
 +corenet_tcp_connect_all_ephemeral_ports(mozilla_plugin_t)
@@ -72441,7 +72442,7 @@ index 2e9318b..4476c7f 100644
  dev_read_video_dev(mozilla_plugin_t)
  dev_write_video_dev(mozilla_plugin_t)
  dev_read_sysfs(mozilla_plugin_t)
-@@ -355,6 +405,7 @@ dev_write_sound(mozilla_plugin_t)
+@@ -355,6 +406,7 @@ dev_write_sound(mozilla_plugin_t)
  # for nvidia driver
  dev_rw_xserver_misc(mozilla_plugin_t)
  dev_dontaudit_rw_dri(mozilla_plugin_t)
@@ -72449,7 +72450,7 @@ index 2e9318b..4476c7f 100644
  
  domain_use_interactive_fds(mozilla_plugin_t)
  domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
-@@ -362,15 +413,21 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+@@ -362,15 +414,21 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
  files_read_config_files(mozilla_plugin_t)
  files_read_usr_files(mozilla_plugin_t)
  files_list_mnt(mozilla_plugin_t)
@@ -72471,7 +72472,7 @@ index 2e9318b..4476c7f 100644
  logging_send_syslog_msg(mozilla_plugin_t)
  
  miscfiles_read_localization(mozilla_plugin_t)
-@@ -383,34 +440,30 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
+@@ -383,34 +441,30 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
  
  term_getattr_all_ttys(mozilla_plugin_t)
  term_getattr_all_ptys(mozilla_plugin_t)
@@ -72520,7 +72521,7 @@ index 2e9318b..4476c7f 100644
  ')
  
  optional_policy(`
-@@ -421,24 +474,33 @@ optional_policy(`
+@@ -421,24 +475,33 @@ optional_policy(`
  optional_policy(`
  	dbus_system_bus_client(mozilla_plugin_t)
  	dbus_session_bus_client(mozilla_plugin_t)
@@ -72558,7 +72559,7 @@ index 2e9318b..4476c7f 100644
  ')
  
  optional_policy(`
-@@ -446,10 +508,105 @@ optional_policy(`
+@@ -446,10 +509,105 @@ optional_policy(`
  	pulseaudio_stream_connect(mozilla_plugin_t)
  	pulseaudio_setattr_home_dir(mozilla_plugin_t)
  	pulseaudio_manage_home_files(mozilla_plugin_t)
@@ -76462,10 +76463,10 @@ index 0000000..9127cec
 +')
 diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te
 new file mode 100644
-index 0000000..c7af0d8
+index 0000000..1662c7b
 --- /dev/null
 +++ b/policy/modules/apps/thumb.te
-@@ -0,0 +1,121 @@
+@@ -0,0 +1,122 @@
 +policy_module(thumb, 1.0.0)
 +
 +########################################
@@ -76573,6 +76574,7 @@ index 0000000..c7af0d8
 +xserver_dontaudit_read_xdm_pid(thumb_t)
 +xserver_dontaudit_xdm_tmp_dirs(thumb_t)
 +xserver_stream_connect(thumb_t)
++xserver_use_user_fonts(thumb_t)
 +
 +optional_policy(`
 +	dbus_dontaudit_stream_connect_session_bus(thumb_t)
@@ -132555,7 +132557,7 @@ index 82cb169..9642fe3 100644
 +	allow $1 samba_unit_file_t:service all_service_perms;
  ')
 diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..2b51fe4 100644
+index e30bb63..caa639a 100644
 --- a/policy/modules/services/samba.te
 +++ b/policy/modules/services/samba.te
 @@ -1,4 +1,4 @@
@@ -133013,10 +133015,15 @@ index e30bb63..2b51fe4 100644
  
  userdom_dontaudit_use_unpriv_user_fds(winbind_t)
  userdom_manage_user_home_content_dirs(winbind_t)
-@@ -864,6 +938,11 @@ userdom_manage_user_home_content_sockets(winbind_t)
+@@ -864,6 +938,16 @@ userdom_manage_user_home_content_sockets(winbind_t)
  userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
  
  optional_policy(`
++    ldap_stream_connect(winbind_t)
++    dirsrv_stream_connect(winbind_t)
++')
++
++optional_policy(`
 +	ctdbd_stream_connect(winbind_t)
 +	ctdbd_manage_lib_files(winbind_t)
 +')
@@ -133025,7 +133032,7 @@ index e30bb63..2b51fe4 100644
  	kerberos_use(winbind_t)
  ')
  
-@@ -904,7 +983,8 @@ logging_send_syslog_msg(winbind_helper_t)
+@@ -904,7 +988,8 @@ logging_send_syslog_msg(winbind_helper_t)
  
  miscfiles_read_localization(winbind_helper_t) 
  
@@ -133035,7 +133042,7 @@ index e30bb63..2b51fe4 100644
  
  optional_policy(`
  	apache_append_log(winbind_helper_t)
-@@ -922,19 +1002,34 @@ optional_policy(`
+@@ -922,19 +1007,34 @@ optional_policy(`
  #
  
  optional_policy(`
@@ -138348,10 +138355,10 @@ index 0000000..a8385bc
 +/var/run/tomcat6?\.pid		--	gen_context(system_u:object_r:tomcat_var_run_t,s0)
 diff --git a/policy/modules/services/tomcat.if b/policy/modules/services/tomcat.if
 new file mode 100644
-index 0000000..226293f
+index 0000000..c531b5e
 --- /dev/null
 +++ b/policy/modules/services/tomcat.if
-@@ -0,0 +1,395 @@
+@@ -0,0 +1,400 @@
 +
 +## <summary>policy for tomcat</summary>
 +
@@ -138402,15 +138409,18 @@ index 0000000..226293f
 +
 +	manage_dirs_pattern($1_t, $1_log_t, $1_log_t)
 +	manage_files_pattern($1_t, $1_log_t, $1_log_t)
++	manage_lnk_files_pattern($1_t, $1_log_t, $1_log_t)
 +	logging_log_filetrans($1_t, $1_log_t, { dir file })
 +
 +	manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
 +	manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
-+	files_var_lib_filetrans($1_t, $1_var_lib_t, { dir file })
++	manage_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
++	files_var_lib_filetrans($1_t, $1_var_lib_t, { dir file lnk_file })
 +
 +	manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
 +	manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
-+	files_pid_filetrans($1_t, $1_var_run_t, { dir file })
++	manage_lnk_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
++	files_pid_filetrans($1_t, $1_var_run_t, { dir file lnk_file })
 +
 +	manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
 +	manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
@@ -138420,6 +138430,8 @@ index 0000000..226293f
 +	can_exec($1_t, $1_exec_t)
 +
 +	kernel_read_system_state($1_t)
++
++	logging_send_syslog_msg($1_t)
 +')
 +
 +########################################
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f4183fc..4bc5f87 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 150%{?dist}
+Release: 151%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -479,6 +479,12 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Thu Sep 27 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-151
+- Allow winbind to connect do ldap without a boolean
+- Allow mozilla-plugin to connect to commplex port
+- Fix tomcat template interface
+- Allow thumb to use user fonts
+
 * Mon Sep 24 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-150
 - Backport tomcat fixes from F18
 - Add filename transition for mongod.log

More information about the scm-commits mailing list