rpms/selinux-policy/devel booleans-targeted.conf, 1.7, 1.8 policy-20060411.patch, 1.7, 1.8 selinux-policy.spec, 1.176, 1.177
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Apr 19 17:38:13 UTC 2006
- Previous message (by thread): rpms/device-mapper/devel device-mapper.1.02.05.tgz.asc, 1.2, 1.3 sources, 1.17, 1.18
- Next message (by thread): rpms/device-mapper/devel device-mapper.1.02.05.tgz.asc, 1.3, 1.4 device-mapper.spec, 1.29, 1.30 sources, 1.18, 1.19
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv26539
Modified Files:
booleans-targeted.conf policy-20060411.patch
selinux-policy.spec
Log Message:
* Wed Apr 19 2006 Dan Walsh <dwalsh at redhat.com> 2.2.34-1
- Update to latest from upstream
- Allow selinux-policy to be removed and kernel not to crash
Index: booleans-targeted.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/booleans-targeted.conf,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- booleans-targeted.conf 6 Apr 2006 19:08:54 -0000 1.7
+++ booleans-targeted.conf 19 Apr 2006 17:37:38 -0000 1.8
@@ -88,7 +88,7 @@
# Run SSI execs in system CGI script domain.
#
-httpd_ssi_exec = true
+httpd_ssi_exec = false
# Allow http daemon to communicate with the TTY
#
policy-20060411.patch:
kernel/devices.if | 20 ++++++++++++++++++++
kernel/files.if | 35 +++++++++++++++++++++++++++++++++++
kernel/mls.te | 1 +
services/pegasus.te | 8 ++++++++
services/samba.te | 2 +-
system/init.te | 1 +
system/libraries.fc | 2 +-
system/sysnetwork.te | 2 ++
system/unconfined.if | 18 ++++++++++++++++++
system/userdomain.if | 1 +
system/xen.if | 18 ++++++++++++++++++
system/xen.te | 1 +
12 files changed, 107 insertions(+), 2 deletions(-)
Index: policy-20060411.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060411.patch,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- policy-20060411.patch 19 Apr 2006 11:55:43 -0000 1.7
+++ policy-20060411.patch 19 Apr 2006 17:37:38 -0000 1.8
@@ -1,21 +1,6 @@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-2.2.33/policy/modules/apps/java.te
---- nsaserefpolicy/policy/modules/apps/java.te 2006-04-18 22:49:59.000000000 -0400
-+++ serefpolicy-2.2.33/policy/modules/apps/java.te 2006-04-18 23:10:07.000000000 -0400
-@@ -7,8 +7,11 @@
- #
-
- type java_t;
-+domain_type(java_t)
-+
- type java_exec_t;
- init_system_domain(java_t,java_exec_t)
-+files_type(java_exec_t)
-
- ########################################
- #
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-2.2.33/policy/modules/kernel/devices.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-2.2.34/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2006-04-18 22:49:59.000000000 -0400
-+++ serefpolicy-2.2.33/policy/modules/kernel/devices.if 2006-04-18 23:10:07.000000000 -0400
++++ serefpolicy-2.2.34/policy/modules/kernel/devices.if 2006-04-19 12:56:26.000000000 -0400
@@ -2874,3 +2874,23 @@
typeattribute $1 devices_unconfined_type;
@@ -40,9 +25,9 @@
+ dontaudit $1 device_node:dir_file_class_set getattr;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.33/policy/modules/kernel/files.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.34/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2006-04-18 22:49:59.000000000 -0400
-+++ serefpolicy-2.2.33/policy/modules/kernel/files.if 2006-04-19 07:51:01.000000000 -0400
++++ serefpolicy-2.2.34/policy/modules/kernel/files.if 2006-04-19 12:56:26.000000000 -0400
@@ -1268,6 +1268,26 @@
########################################
@@ -92,9 +77,9 @@
## <summary>
## Read files in /etc that are dynamically
## created on boot, such as mtab.
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.2.33/policy/modules/kernel/mls.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.2.34/policy/modules/kernel/mls.te
--- nsaserefpolicy/policy/modules/kernel/mls.te 2006-03-07 10:31:09.000000000 -0500
-+++ serefpolicy-2.2.33/policy/modules/kernel/mls.te 2006-04-18 23:10:07.000000000 -0400
++++ serefpolicy-2.2.34/policy/modules/kernel/mls.te 2006-04-19 12:56:26.000000000 -0400
@@ -60,6 +60,7 @@
ifdef(`enable_mls',`
@@ -103,44 +88,9 @@
range_transition kernel_t init_exec_t s0 - s15:c0.c255;
range_transition kernel_t lvm_exec_t s0 - s15:c0.c255;
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-2.2.33/policy/modules/services/cups.fc
---- nsaserefpolicy/policy/modules/services/cups.fc 2006-03-23 14:33:30.000000000 -0500
-+++ serefpolicy-2.2.33/policy/modules/services/cups.fc 2006-04-18 23:10:07.000000000 -0400
-@@ -35,7 +35,8 @@
- /usr/share/hplip/hpssd.py -- gen_context(system_u:object_r:hplip_exec_t,s0)
-
- /var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
--/var/cache/foomatic(/.*)? -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+/var/cache/cups(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-
- /var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
- /var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-2.2.33/policy/modules/services/ftp.te
---- nsaserefpolicy/policy/modules/services/ftp.te 2006-04-12 13:44:37.000000000 -0400
-+++ serefpolicy-2.2.33/policy/modules/services/ftp.te 2006-04-18 23:10:07.000000000 -0400
-@@ -126,6 +126,7 @@
- seutil_dontaudit_search_config(ftpd_t)
-
- sysnet_read_config(ftpd_t)
-+sysnet_use_ldap(ftpd_t)
-
- userdom_dontaudit_search_sysadm_home_dirs(ftpd_t)
- userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.fc serefpolicy-2.2.33/policy/modules/services/pegasus.fc
---- nsaserefpolicy/policy/modules/services/pegasus.fc 2005-11-07 15:10:44.000000000 -0500
-+++ serefpolicy-2.2.33/policy/modules/services/pegasus.fc 2006-04-19 07:45:04.000000000 -0400
-@@ -3,6 +3,7 @@
- /etc/Pegasus/pegasus_current.conf gen_context(system_u:object_r:pegasus_data_t,s0)
-
- /usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
-+
- /usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
-
- /var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.2.33/policy/modules/services/pegasus.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.2.34/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2006-04-04 18:06:38.000000000 -0400
-+++ serefpolicy-2.2.33/policy/modules/services/pegasus.te 2006-04-19 07:53:45.000000000 -0400
++++ serefpolicy-2.2.34/policy/modules/services/pegasus.te 2006-04-19 12:56:26.000000000 -0400
@@ -79,11 +79,16 @@
corenet_tcp_connect_pegasus_https_port(pegasus_t)
corenet_tcp_connect_generic_port(pegasus_t)
@@ -175,56 +125,9 @@
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.2.33/policy/modules/services/postfix.te
---- nsaserefpolicy/policy/modules/services/postfix.te 2006-04-18 22:50:00.000000000 -0400
-+++ serefpolicy-2.2.33/policy/modules/services/postfix.te 2006-04-18 23:10:07.000000000 -0400
-@@ -315,6 +315,7 @@
-
- kernel_read_kernel_sysctls(postfix_map_t)
- kernel_dontaudit_list_proc(postfix_map_t)
-+kernel_dontaudit_read_system_state(postfix_map_t)
-
- corenet_tcp_sendrecv_all_if(postfix_map_t)
- corenet_udp_sendrecv_all_if(postfix_map_t)
-@@ -360,6 +361,7 @@
- ifdef(`targeted_policy',`
- # FIXME: would be better to use a run interface
- role system_r types postfix_map_t;
-+ term_dontaudit_use_generic_ptys(postfix_map_t)
- ')
-
- tunable_policy(`read_default_t',`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-2.2.33/policy/modules/services/postgresql.if
---- nsaserefpolicy/policy/modules/services/postgresql.if 2006-02-10 17:05:19.000000000 -0500
-+++ serefpolicy-2.2.33/policy/modules/services/postgresql.if 2006-04-18 23:10:07.000000000 -0400
-@@ -113,10 +113,12 @@
- #
- interface(`postgresql_stream_connect',`
- gen_require(`
-- type postgresql_t, postgresql_var_run_t;
-+ type postgresql_t, postgresql_var_run_t, postgresql_tmp_t;
- ')
-
- files_search_pids($1)
- allow $1 postgresql_t:unix_stream_socket connectto;
- allow $1 postgresql_var_run_t:sock_file write;
-+ # Some versions of postgresql put the sock file in /tmp
-+ allow $1 postgresql_tmp_t:sock_file write;
- ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-2.2.33/policy/modules/services/privoxy.te
---- nsaserefpolicy/policy/modules/services/privoxy.te 2006-04-04 18:06:38.000000000 -0400
-+++ serefpolicy-2.2.33/policy/modules/services/privoxy.te 2006-04-18 23:10:07.000000000 -0400
-@@ -50,6 +50,7 @@
- corenet_non_ipsec_sendrecv(privoxy_t)
- corenet_tcp_bind_http_cache_port(privoxy_t)
- corenet_tcp_connect_http_port(privoxy_t)
-+corenet_tcp_connect_http_cache_port(privoxy_t)
- corenet_tcp_connect_ftp_port(privoxy_t)
- corenet_tcp_connect_tor_port(privoxy_t)
-
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.2.33/policy/modules/services/samba.te
---- nsaserefpolicy/policy/modules/services/samba.te 2006-04-18 22:50:00.000000000 -0400
-+++ serefpolicy-2.2.33/policy/modules/services/samba.te 2006-04-18 23:10:07.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.2.34/policy/modules/services/samba.te
+--- nsaserefpolicy/policy/modules/services/samba.te 2006-04-19 12:23:07.000000000 -0400
++++ serefpolicy-2.2.34/policy/modules/services/samba.te 2006-04-19 12:56:26.000000000 -0400
@@ -106,8 +106,8 @@
files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir })
@@ -235,94 +138,9 @@
kernel_read_proc_symlinks(samba_net_t)
-@@ -160,8 +160,10 @@
- corenet_non_ipsec_sendrecv(samba_net_t)
- corenet_tcp_bind_all_nodes(samba_net_t)
- sysnet_read_config(samba_net_t)
-+ corenet_tcp_connect_ldap_port(samba_net_t)
- ')
-
-+
- optional_policy(`
- nscd_socket_use(samba_net_t)
- ')
-@@ -269,6 +271,7 @@
-
- init_use_fds(smbd_t)
- init_use_script_ptys(smbd_t)
-+init_rw_utmp(smbd_t)
-
- libs_use_ld_so(smbd_t)
- libs_use_shared_libs(smbd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-2.2.33/policy/modules/services/spamassassin.fc
---- nsaserefpolicy/policy/modules/services/spamassassin.fc 2005-12-01 17:57:16.000000000 -0500
-+++ serefpolicy-2.2.33/policy/modules/services/spamassassin.fc 2006-04-18 23:10:07.000000000 -0400
-@@ -1,5 +1,5 @@
-
--/usr/bin/sa-learn -- gen_context(system_u:object_r:spamd_exec_t,s0)
-+/usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0)
- /usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0)
- /usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
-
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.2.33/policy/modules/services/xserver.if
---- nsaserefpolicy/policy/modules/services/xserver.if 2006-04-06 15:31:54.000000000 -0400
-+++ serefpolicy-2.2.33/policy/modules/services/xserver.if 2006-04-18 23:10:07.000000000 -0400
-@@ -1070,3 +1070,24 @@
-
- dontaudit $1 xdm_xserver_t:tcp_socket { read write };
- ')
-+
-+########################################
-+## <summary>
-+## Allow read and write to
-+## a XDM X server socket.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to allow
-+## </summary>
-+## </param>
-+#
-+interface(`xserver_rw_xdm_sockets',`
-+ gen_require(`
-+ type xdm_xserver_tmp_t;
-+ ')
-+
-+ allow $1 xdm_xserver_tmp_t:dir search;
-+ allow $1 xdm_xserver_tmp_t:sock_file { read write };
-+')
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.2.33/policy/modules/system/authlogin.te
---- nsaserefpolicy/policy/modules/system/authlogin.te 2006-04-04 18:06:38.000000000 -0400
-+++ serefpolicy-2.2.33/policy/modules/system/authlogin.te 2006-04-18 23:10:07.000000000 -0400
-@@ -173,9 +173,13 @@
- dev_setattr_video_dev(pam_console_t)
- dev_getattr_xserver_misc_dev(pam_console_t)
- dev_setattr_xserver_misc_dev(pam_console_t)
-+dev_read_urand(pam_console_t)
-
- fs_search_auto_mountpoints(pam_console_t)
-
-+miscfiles_read_localization(pam_console_t)
-+miscfiles_read_certs(pam_console_t)
-+
- storage_getattr_fixed_disk_dev(pam_console_t)
- storage_setattr_fixed_disk_dev(pam_console_t)
- storage_getattr_removable_dev(pam_console_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.2.33/policy/modules/system/fstools.te
---- nsaserefpolicy/policy/modules/system/fstools.te 2006-04-04 18:06:38.000000000 -0400
-+++ serefpolicy-2.2.33/policy/modules/system/fstools.te 2006-04-18 23:10:07.000000000 -0400
-@@ -77,6 +77,7 @@
- dev_getattr_usbfs_dirs(fsadm_t)
- # Access to /dev/mapper/control
- dev_rw_lvm_control(fsadm_t)
-+dev_dontaudit_getattr_all_device_nodes(fsadm_t)
-
- fs_search_auto_mountpoints(fsadm_t)
- fs_getattr_xattr_fs(fsadm_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.2.33/policy/modules/system/init.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.2.34/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2006-04-18 22:50:00.000000000 -0400
-+++ serefpolicy-2.2.33/policy/modules/system/init.te 2006-04-18 23:10:07.000000000 -0400
++++ serefpolicy-2.2.34/policy/modules/system/init.te 2006-04-19 12:56:26.000000000 -0400
@@ -352,6 +352,7 @@
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
@@ -331,94 +149,21 @@
libs_rw_ld_so_cache(initrc_t)
libs_use_ld_so(initrc_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.33/policy/modules/system/libraries.fc
---- nsaserefpolicy/policy/modules/system/libraries.fc 2006-04-18 22:50:00.000000000 -0400
-+++ serefpolicy-2.2.33/policy/modules/system/libraries.fc 2006-04-18 23:10:07.000000000 -0400
-@@ -83,7 +83,6 @@
- /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--/usr/lib(64)?/vmware(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
- /usr/(local/)?lib(64)?/wine/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/(local/)?lib/libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -189,6 +188,8 @@
-
- # vmware
- /usr/lib(64)?/vmware/lib(/.*)?/libgdk-x11-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/vmware/lib(/.*)?/HConfig.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
- # Java, Sun Microsystems (JPackage SRPM)
- /usr/(.*/)?jre.*/libdeploy.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -223,3 +224,5 @@
- /var/spool/postfix/lib(64)?/lib.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
- /var/spool/postfix/lib(64)?/[^/]*/lib.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
- /var/spool/postfix/lib(64)?/devfsd/.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
-+/usr/NX/lib/libXcomp.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/NX/lib/libjpeg.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-2.2.33/policy/modules/system/mount.if
---- nsaserefpolicy/policy/modules/system/mount.if 2006-03-02 18:45:56.000000000 -0500
-+++ serefpolicy-2.2.33/policy/modules/system/mount.if 2006-04-18 23:10:07.000000000 -0400
-@@ -113,3 +113,25 @@
- allow $1 mount_t:udp_socket rw_socket_perms;
- ')
-
-+########################################
-+## <summary>
-+## Execute mount in the unconfined_mount domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## The type of the process performing this action.
-+## </summary>
-+## </param>
-+#
-+interface(`unconfined_mount_domtrans',`
-+ gen_require(`
-+ type unconfined_mount_t, mount_exec_t;
-+ ')
-+
-+ domain_auto_trans($1,mount_exec_t,unconfined_mount_t)
-+
-+ allow $1 unconfined_mount_t:fd use;
-+ allow unconfined_mount_t $1:fd use;
-+ allow unconfined_mount_t $1:fifo_file rw_file_perms;
-+ allow unconfined_mount_t $1:process sigchld;
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.2.33/policy/modules/system/mount.te
---- nsaserefpolicy/policy/modules/system/mount.te 2006-04-12 13:44:38.000000000 -0400
-+++ serefpolicy-2.2.33/policy/modules/system/mount.te 2006-04-18 23:10:07.000000000 -0400
-@@ -151,3 +151,12 @@
- optional_policy(`
- samba_domtrans_smbmount(mount_t)
- ')
-+
-+ifdef(`targeted_policy', `
-+ type unconfined_mount_t;
-+ domain_type(unconfined_mount_t)
-+ role system_r types unconfined_mount_t;
-+ domain_entry_file(unconfined_mount_t,mount_exec_t)
-+ files_manage_etc_runtime_files(unconfined_mount_t)
-+ unconfined_domain(unconfined_mount_t)
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-2.2.33/policy/modules/system/selinuxutil.if
---- nsaserefpolicy/policy/modules/system/selinuxutil.if 2006-03-29 14:18:17.000000000 -0500
-+++ serefpolicy-2.2.33/policy/modules/system/selinuxutil.if 2006-04-18 23:10:07.000000000 -0400
-@@ -697,8 +697,8 @@
-
- files_search_etc($1)
- allow $1 selinux_config_t:dir search;
-- allow $1 file_context_t:dir r_dir_perms;
-- allow $1 file_context_t:file rw_file_perms;
-+ allow $1 file_context_t:dir rw_dir_perms;
-+ allow $1 file_context_t:file create_file_perms;
- allow $1 file_context_t:lnk_file { getattr read };
- ')
-
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-2.2.33/policy/modules/system/sysnetwork.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.34/policy/modules/system/libraries.fc
+--- nsaserefpolicy/policy/modules/system/libraries.fc 2006-04-19 12:23:07.000000000 -0400
++++ serefpolicy-2.2.34/policy/modules/system/libraries.fc 2006-04-19 12:56:29.000000000 -0400
+@@ -113,7 +113,7 @@
+ /usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/libglide-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/helix/plugins/oggfformat\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/helix/plugins/theorarend\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-2.2.34/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2006-03-24 11:15:53.000000000 -0500
-+++ serefpolicy-2.2.33/policy/modules/system/sysnetwork.te 2006-04-18 23:44:30.000000000 -0400
++++ serefpolicy-2.2.34/policy/modules/system/sysnetwork.te 2006-04-19 12:56:26.000000000 -0400
@@ -248,6 +248,7 @@
optional_policy(`
@@ -433,9 +178,9 @@
xen_append_log(ifconfig_t)
+ xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.2.33/policy/modules/system/unconfined.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.2.34/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2006-04-12 13:44:38.000000000 -0400
-+++ serefpolicy-2.2.33/policy/modules/system/unconfined.if 2006-04-19 07:53:34.000000000 -0400
++++ serefpolicy-2.2.34/policy/modules/system/unconfined.if 2006-04-19 12:56:26.000000000 -0400
@@ -224,6 +224,24 @@
########################################
@@ -461,37 +206,9 @@
## Send generic signals to the unconfined domain.
## </summary>
## <param name="domain">
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.2.33/policy/modules/system/unconfined.te
---- nsaserefpolicy/policy/modules/system/unconfined.te 2006-04-18 22:50:00.000000000 -0400
-+++ serefpolicy-2.2.33/policy/modules/system/unconfined.te 2006-04-18 23:10:07.000000000 -0400
-@@ -37,10 +37,13 @@
- logging_domtrans_auditctl(unconfined_t)
-
- seutil_domtrans_restorecon(unconfined_t)
-+ seutil_domtrans_semanage(unconfined_t)
-
- userdom_unconfined(unconfined_t)
- userdom_priveleged_home_dir_manager(unconfined_t)
-
-+ unconfined_mount_domtrans(unconfined_t)
-+
- optional_policy(`
- ada_domtrans(unconfined_t)
- ')
-@@ -140,10 +143,6 @@
- ')
-
- optional_policy(`
-- seutil_domtrans_semanage(unconfined_t)
-- ')
--
-- optional_policy(`
- sysnet_domtrans_dhcpc(unconfined_t)
- ')
-
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.2.33/policy/modules/system/userdomain.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.2.34/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2006-04-18 22:50:01.000000000 -0400
-+++ serefpolicy-2.2.33/policy/modules/system/userdomain.if 2006-04-18 23:10:07.000000000 -0400
++++ serefpolicy-2.2.34/policy/modules/system/userdomain.if 2006-04-19 12:56:26.000000000 -0400
@@ -4171,6 +4171,7 @@
type user_home_dir_t;
')
@@ -500,9 +217,9 @@
files_home_filetrans($1,user_home_dir_t,dir)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-2.2.33/policy/modules/system/xen.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-2.2.34/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if 2006-03-23 16:08:51.000000000 -0500
-+++ serefpolicy-2.2.33/policy/modules/system/xen.if 2006-04-18 23:44:30.000000000 -0400
++++ serefpolicy-2.2.34/policy/modules/system/xen.if 2006-04-19 12:56:26.000000000 -0400
@@ -47,6 +47,24 @@
########################################
@@ -528,9 +245,9 @@
## Connect to xenstored over an unix stream socket.
## </summary>
## <param name="domain">
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.2.33/policy/modules/system/xen.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.2.34/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2006-04-18 22:50:01.000000000 -0400
-+++ serefpolicy-2.2.33/policy/modules/system/xen.te 2006-04-18 23:45:51.000000000 -0400
++++ serefpolicy-2.2.34/policy/modules/system/xen.te 2006-04-19 12:56:26.000000000 -0400
@@ -125,6 +125,7 @@
files_read_etc_files(xend_t)
@@ -539,15 +256,3 @@
storage_raw_read_fixed_disk(xend_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-2.2.33/Rules.modular
---- nsaserefpolicy/Rules.modular 2006-03-23 14:33:29.000000000 -0500
-+++ serefpolicy-2.2.33/Rules.modular 2006-04-18 23:10:07.000000000 -0400
-@@ -208,7 +208,7 @@
- #
- $(APPDIR)/customizable_types: $(BASE_CONF)
- @mkdir -p $(APPDIR)
-- $(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(TMPDIR)/customizable_types
-+ $(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(TMPDIR)/customizable_types
- $(verbose) install -m 644 $(TMPDIR)/customizable_types $@
-
- ########################################
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.176
retrieving revision 1.177
diff -u -r1.176 -r1.177
--- selinux-policy.spec 19 Apr 2006 11:55:43 -0000 1.176
+++ selinux-policy.spec 19 Apr 2006 17:37:38 -0000 1.177
@@ -15,7 +15,7 @@
%define CHECKPOLICYVER 1.30.1-2
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 2.2.33
+Version: 2.2.34
Release: 1
License: GPL
Group: System Environment/Base
@@ -233,6 +233,15 @@
">> /etc/selinux/config
fi
+%postun
+setenforce 0 2> /dev/null
+if [ ! -s /etc/selinux/config ]; then
+ echo "SELINUX=disabled" > /etc/selinux/config
+else
+ sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config
+fi
+
+
%if %{BUILD_TARGETED}
%package targeted
Summary: SELinux targeted base policy
@@ -321,6 +330,10 @@
%endif
%changelog
+* Wed Apr 19 2006 Dan Walsh <dwalsh at redhat.com> 2.2.34-1
+- Update to latest from upstream
+- Allow selinux-policy to be removed and kernel not to crash
+
* Tue Apr 18 2006 Dan Walsh <dwalsh at redhat.com> 2.2.33-1
- Update to latest from upstream
- Add James Antill patch for xen
- Previous message (by thread): rpms/device-mapper/devel device-mapper.1.02.05.tgz.asc, 1.2, 1.3 sources, 1.17, 1.18
- Next message (by thread): rpms/device-mapper/devel device-mapper.1.02.05.tgz.asc, 1.3, 1.4 device-mapper.spec, 1.29, 1.30 sources, 1.18, 1.19
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list