rpms/selinux-policy/devel policy-20060323.patch, 1.8, 1.9 selinux-policy.spec, 1.166, 1.167

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Tue Apr 4 10:08:10 UTC 2006 

Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv20744

Modified Files:
	policy-20060323.patch selinux-policy.spec 
Log Message:
* Mon Mar 30 2006 Dan Walsh <dwalsh at redhat.com> 2.2.29-3
- Get auditctl working in MLS policy


policy-20060323.patch:
 admin/rpm.te               |    1 +
 apps/mono.if               |   23 +++++++++++++++++++++++
 apps/mono.te               |    1 +
 kernel/devices.fc          |    1 +
 kernel/devices.if          |   40 ++++++++++++++++++++++++++++++++++++++++
 kernel/files.if            |   15 +++++++++++++++
 kernel/mls.te              |    1 +
 services/apache.if         |   20 ++++++++++++++++++++
 services/automount.te      |    1 +
 services/avahi.te          |    4 ++++
 services/bluetooth.te      |    7 +++++--
 services/cups.te           |    2 +-
 services/dbus.te           |    1 +
 services/hal.te            |   13 ++++++++++++-
 services/networkmanager.te |    1 +
 services/nscd.if           |   20 ++++++++++++++++++++
 services/samba.te          |    2 ++
 services/snmp.te           |    1 +
 services/xserver.if        |   21 +++++++++++++++++++++
 system/fstools.te          |    1 +
 system/getty.fc            |    1 +
 system/getty.te            |    2 ++
 system/init.te             |    1 +
 system/libraries.fc        |   22 +++++++++++++++++-----
 system/logging.if          |   32 ++++++++++++++++++++++++++++++++
 system/mount.te            |    4 +++-
 system/unconfined.if       |   17 +++++------------
 system/unconfined.te       |    4 ----
 system/userdomain.te       |    4 ++--
 29 files changed, 235 insertions(+), 28 deletions(-)

Index: policy-20060323.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060323.patch,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- policy-20060323.patch	3 Apr 2006 17:17:13 -0000	1.8
+++ policy-20060323.patch	4 Apr 2006 10:07:53 -0000	1.9
@@ -1,3 +1,14 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-2.2.29/policy/modules/admin/rpm.te
+--- nsaserefpolicy/policy/modules/admin/rpm.te	2006-03-30 10:59:02.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/admin/rpm.te	2006-04-03 16:38:39.000000000 -0400
+@@ -117,6 +117,7 @@
+ mls_file_read_up(rpm_t)
+ mls_file_write_down(rpm_t)
+ mls_file_upgrade(rpm_t)
++mls_file_downgrade(rpm_t)
+ 
+ selinux_get_fs_mount(rpm_t)
+ selinux_validate_context(rpm_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-2.2.29/policy/modules/apps/mono.if
 --- nsaserefpolicy/policy/modules/apps/mono.if	2006-03-23 16:46:10.000000000 -0500
 +++ serefpolicy-2.2.29/policy/modules/apps/mono.if	2006-04-03 10:03:24.000000000 -0400
@@ -103,7 +114,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.29/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2006-03-30 10:04:15.000000000 -0500
-+++ serefpolicy-2.2.29/policy/modules/kernel/files.if	2006-03-31 11:21:52.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/kernel/files.if	2006-04-03 17:43:29.000000000 -0400
 @@ -1643,6 +1643,21 @@
  ')
  
@@ -126,6 +137,17 @@
  ## <summary>
  ##	Read files in /etc that are dynamically
  ##	created on boot, such as mtab.
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.2.29/policy/modules/kernel/mls.te
+--- nsaserefpolicy/policy/modules/kernel/mls.te	2006-03-23 16:45:31.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/kernel/mls.te	2006-04-03 16:29:39.000000000 -0400
+@@ -60,6 +60,7 @@
+ 
+ ifdef(`enable_mls',`
+ range_transition initrc_t auditd_exec_t s15:c0.c255;
++range_transition secadm_t auditctl_exec_t s15:c0.c255;
+ range_transition kernel_t init_exec_t s0 - s15:c0.c255;
+ range_transition kernel_t lvm_exec_t s0 - s15:c0.c255;
+ ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-2.2.29/policy/modules/services/apache.if
 --- nsaserefpolicy/policy/modules/services/apache.if	2006-03-24 11:09:14.000000000 -0500
 +++ serefpolicy-2.2.29/policy/modules/services/apache.if	2006-04-03 13:02:08.000000000 -0400
@@ -219,6 +241,18 @@
  ')
  
  optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.2.29/policy/modules/services/cups.te
+--- nsaserefpolicy/policy/modules/services/cups.te	2006-03-30 10:59:02.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/services/cups.te	2006-04-03 17:42:39.000000000 -0400
+@@ -110,7 +110,7 @@
+ files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
+ 
+ allow cupsd_t cupsd_var_run_t:file create_file_perms;
+-allow cupsd_t cupsd_var_run_t:dir rw_dir_perms;
++allow cupsd_t cupsd_var_run_t:dir { setattr rw_dir_perms };
+ allow cupsd_t cupsd_var_run_t:sock_file create_file_perms;
+ files_pid_filetrans(cupsd_t,cupsd_var_run_t,file)
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-2.2.29/policy/modules/services/dbus.te
 --- nsaserefpolicy/policy/modules/services/dbus.te	2006-03-24 11:09:14.000000000 -0500
 +++ serefpolicy-2.2.29/policy/modules/services/dbus.te	2006-03-31 11:21:52.000000000 -0500
@@ -232,7 +266,7 @@
  seutil_read_default_contexts(system_dbusd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.2.29/policy/modules/services/hal.te
 --- nsaserefpolicy/policy/modules/services/hal.te	2006-03-30 10:59:02.000000000 -0500
-+++ serefpolicy-2.2.29/policy/modules/services/hal.te	2006-04-03 11:31:34.000000000 -0400
++++ serefpolicy-2.2.29/policy/modules/services/hal.te	2006-04-03 17:43:25.000000000 -0400
 @@ -22,7 +22,7 @@
  #
  
@@ -261,7 +295,15 @@
  
  # hal is now execing pm-suspend
  dev_rw_sysfs(hald_t)
-@@ -187,6 +192,11 @@
+@@ -93,6 +98,7 @@
+ files_read_usr_files(hald_t)
+ # hal is now execing pm-suspend
+ files_create_boot_flag(hald_t)
++files_getattr_default_dirs(hald_t)
+ 
+ fs_getattr_all_fs(hald_t)
+ fs_search_all(hald_t)
+@@ -187,6 +193,11 @@
  	optional_policy(`
  		networkmanager_dbus_chat(hald_t)
  	')
@@ -311,6 +353,29 @@
 +	allow $1 nscd_t:process signal;
 +')
 +
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.2.29/policy/modules/services/samba.te
+--- nsaserefpolicy/policy/modules/services/samba.te	2006-03-24 11:09:15.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/services/samba.te	2006-04-03 14:24:40.000000000 -0400
+@@ -105,6 +105,8 @@
+ allow samba_net_t samba_net_tmp_t:file create_file_perms;
+ files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir })
+ 
++allow smbd_t samba_net_tmp_t:file getattr;
++
+ allow samba_net_t samba_var_t:dir rw_dir_perms;
+ allow samba_net_t samba_var_t:lnk_file create_lnk_perms;
+ allow samba_net_t samba_var_t:file create_lnk_perms;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-2.2.29/policy/modules/services/snmp.te
+--- nsaserefpolicy/policy/modules/services/snmp.te	2006-03-24 11:09:13.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/services/snmp.te	2006-04-03 13:11:33.000000000 -0400
+@@ -49,6 +49,7 @@
+ allow snmpd_t snmpd_var_run_t:dir rw_dir_perms;
+ files_pid_filetrans(snmpd_t,snmpd_var_run_t,file)
+ 
++kernel_read_device_sysctls(snmpd_t)
+ kernel_read_kernel_sysctls(snmpd_t)
+ kernel_read_net_sysctls(snmpd_t)
+ kernel_read_proc_symlinks(snmpd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.2.29/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2006-03-30 10:16:43.000000000 -0500
 +++ serefpolicy-2.2.29/policy/modules/services/xserver.if	2006-04-03 10:43:12.000000000 -0400
@@ -383,7 +448,7 @@
  libs_use_ld_so(initrc_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.29/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2006-03-30 10:18:07.000000000 -0500
-+++ serefpolicy-2.2.29/policy/modules/system/libraries.fc	2006-04-03 12:44:37.000000000 -0400
++++ serefpolicy-2.2.29/policy/modules/system/libraries.fc	2006-04-03 14:29:38.000000000 -0400
 @@ -33,6 +33,7 @@
  #
  /opt(/.*)?/lib(64)?(/.*)?			gen_context(system_u:object_r:lib_t,s0)
@@ -401,7 +466,7 @@
  /usr/lib(64)?/pgsql/test/regress/.*\.so 	--	gen_context(system_u:object_r:shlib_t,s0)
  
  /usr/lib/win32/.*			--	gen_context(system_u:object_r:shlib_t,s0)
-@@ -62,6 +65,8 @@
+@@ -62,18 +65,27 @@
  /usr/lib(64)?/im/.*\.so.*		--	gen_context(system_u:object_r:shlib_t,s0)
  /usr/lib(64)?/iiim/.*\.so.*		--	gen_context(system_u:object_r:shlib_t,s0)
  
@@ -410,7 +475,10 @@
  /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libGLU\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -70,10 +75,15 @@
+ /usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ 
++/usr/lib(64)?/vmware/lib(/.*)?/libgdk-x11-.*\.so.*  -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
  /usr/(local/)?lib/wine/.*\.so  		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/(local/)?lib/libfame-.*\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/local/.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:shlib_t,s0)
@@ -427,7 +495,7 @@
  /usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  
-@@ -92,6 +102,7 @@
+@@ -92,6 +104,7 @@
  /usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libglide3\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -435,7 +503,7 @@
  /usr/lib(64)?/libdv\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/helix/plugins/oggfformat\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/helix/plugins/theorarend\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -170,10 +181,9 @@
+@@ -170,10 +183,9 @@
  # Java, Sun Microsystems (JPackage SRPM)
  /usr/.*/jre.*/lib/i386/libdeploy.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.166
retrieving revision 1.167
diff -u -r1.166 -r1.167
--- selinux-policy.spec	3 Apr 2006 17:17:13 -0000	1.166
+++ selinux-policy.spec	4 Apr 2006 10:07:53 -0000	1.167
@@ -16,7 +16,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 2.2.29
-Release: 2
+Release: 3
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -320,6 +320,9 @@
 %endif
 
 %changelog
+* Mon Mar 30 2006 Dan Walsh <dwalsh at redhat.com> 2.2.29-3
+- Get auditctl working in MLS policy
+
 * Mon Mar 30 2006 Dan Walsh <dwalsh at redhat.com> 2.2.29-2
 - Add mono dbus support
 - Lots of file_context fixes for textrel_shlib_t in FC5

More information about the fedora-cvs-commits mailing list