rpms/selinux-policy/devel policy-20060323.patch, 1.8, 1.9 selinux-policy.spec, 1.166, 1.167
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Tue Apr 4 10:08:10 UTC 2006
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv20744
Modified Files:
policy-20060323.patch selinux-policy.spec
Log Message:
* Mon Mar 30 2006 Dan Walsh <dwalsh at redhat.com> 2.2.29-3
- Get auditctl working in MLS policy
policy-20060323.patch:
admin/rpm.te | 1 +
apps/mono.if | 23 +++++++++++++++++++++++
apps/mono.te | 1 +
kernel/devices.fc | 1 +
kernel/devices.if | 40 ++++++++++++++++++++++++++++++++++++++++
kernel/files.if | 15 +++++++++++++++
kernel/mls.te | 1 +
services/apache.if | 20 ++++++++++++++++++++
services/automount.te | 1 +
services/avahi.te | 4 ++++
services/bluetooth.te | 7 +++++--
services/cups.te | 2 +-
services/dbus.te | 1 +
services/hal.te | 13 ++++++++++++-
services/networkmanager.te | 1 +
services/nscd.if | 20 ++++++++++++++++++++
services/samba.te | 2 ++
services/snmp.te | 1 +
services/xserver.if | 21 +++++++++++++++++++++
system/fstools.te | 1 +
system/getty.fc | 1 +
system/getty.te | 2 ++
system/init.te | 1 +
system/libraries.fc | 22 +++++++++++++++++-----
system/logging.if | 32 ++++++++++++++++++++++++++++++++
system/mount.te | 4 +++-
system/unconfined.if | 17 +++++------------
system/unconfined.te | 4 ----
system/userdomain.te | 4 ++--
29 files changed, 235 insertions(+), 28 deletions(-)
Index: policy-20060323.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060323.patch,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- policy-20060323.patch 3 Apr 2006 17:17:13 -0000 1.8
+++ policy-20060323.patch 4 Apr 2006 10:07:53 -0000 1.9
@@ -1,3 +1,14 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-2.2.29/policy/modules/admin/rpm.te
+--- nsaserefpolicy/policy/modules/admin/rpm.te 2006-03-30 10:59:02.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/admin/rpm.te 2006-04-03 16:38:39.000000000 -0400
+@@ -117,6 +117,7 @@
+ mls_file_read_up(rpm_t)
+ mls_file_write_down(rpm_t)
+ mls_file_upgrade(rpm_t)
++mls_file_downgrade(rpm_t)
+
+ selinux_get_fs_mount(rpm_t)
+ selinux_validate_context(rpm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-2.2.29/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2006-03-23 16:46:10.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/apps/mono.if 2006-04-03 10:03:24.000000000 -0400
@@ -103,7 +114,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.29/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2006-03-30 10:04:15.000000000 -0500
-+++ serefpolicy-2.2.29/policy/modules/kernel/files.if 2006-03-31 11:21:52.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/kernel/files.if 2006-04-03 17:43:29.000000000 -0400
@@ -1643,6 +1643,21 @@
')
@@ -126,6 +137,17 @@
## <summary>
## Read files in /etc that are dynamically
## created on boot, such as mtab.
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.2.29/policy/modules/kernel/mls.te
+--- nsaserefpolicy/policy/modules/kernel/mls.te 2006-03-23 16:45:31.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/kernel/mls.te 2006-04-03 16:29:39.000000000 -0400
+@@ -60,6 +60,7 @@
+
+ ifdef(`enable_mls',`
+ range_transition initrc_t auditd_exec_t s15:c0.c255;
++range_transition secadm_t auditctl_exec_t s15:c0.c255;
+ range_transition kernel_t init_exec_t s0 - s15:c0.c255;
+ range_transition kernel_t lvm_exec_t s0 - s15:c0.c255;
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-2.2.29/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2006-03-24 11:09:14.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/services/apache.if 2006-04-03 13:02:08.000000000 -0400
@@ -219,6 +241,18 @@
')
optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.2.29/policy/modules/services/cups.te
+--- nsaserefpolicy/policy/modules/services/cups.te 2006-03-30 10:59:02.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/services/cups.te 2006-04-03 17:42:39.000000000 -0400
+@@ -110,7 +110,7 @@
+ files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
+
+ allow cupsd_t cupsd_var_run_t:file create_file_perms;
+-allow cupsd_t cupsd_var_run_t:dir rw_dir_perms;
++allow cupsd_t cupsd_var_run_t:dir { setattr rw_dir_perms };
+ allow cupsd_t cupsd_var_run_t:sock_file create_file_perms;
+ files_pid_filetrans(cupsd_t,cupsd_var_run_t,file)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-2.2.29/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2006-03-24 11:09:14.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/services/dbus.te 2006-03-31 11:21:52.000000000 -0500
@@ -232,7 +266,7 @@
seutil_read_default_contexts(system_dbusd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.2.29/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2006-03-30 10:59:02.000000000 -0500
-+++ serefpolicy-2.2.29/policy/modules/services/hal.te 2006-04-03 11:31:34.000000000 -0400
++++ serefpolicy-2.2.29/policy/modules/services/hal.te 2006-04-03 17:43:25.000000000 -0400
@@ -22,7 +22,7 @@
#
@@ -261,7 +295,15 @@
# hal is now execing pm-suspend
dev_rw_sysfs(hald_t)
-@@ -187,6 +192,11 @@
+@@ -93,6 +98,7 @@
+ files_read_usr_files(hald_t)
+ # hal is now execing pm-suspend
+ files_create_boot_flag(hald_t)
++files_getattr_default_dirs(hald_t)
+
+ fs_getattr_all_fs(hald_t)
+ fs_search_all(hald_t)
+@@ -187,6 +193,11 @@
optional_policy(`
networkmanager_dbus_chat(hald_t)
')
@@ -311,6 +353,29 @@
+ allow $1 nscd_t:process signal;
+')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.2.29/policy/modules/services/samba.te
+--- nsaserefpolicy/policy/modules/services/samba.te 2006-03-24 11:09:15.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/services/samba.te 2006-04-03 14:24:40.000000000 -0400
+@@ -105,6 +105,8 @@
+ allow samba_net_t samba_net_tmp_t:file create_file_perms;
+ files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir })
+
++allow smbd_t samba_net_tmp_t:file getattr;
++
+ allow samba_net_t samba_var_t:dir rw_dir_perms;
+ allow samba_net_t samba_var_t:lnk_file create_lnk_perms;
+ allow samba_net_t samba_var_t:file create_lnk_perms;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-2.2.29/policy/modules/services/snmp.te
+--- nsaserefpolicy/policy/modules/services/snmp.te 2006-03-24 11:09:13.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/services/snmp.te 2006-04-03 13:11:33.000000000 -0400
+@@ -49,6 +49,7 @@
+ allow snmpd_t snmpd_var_run_t:dir rw_dir_perms;
+ files_pid_filetrans(snmpd_t,snmpd_var_run_t,file)
+
++kernel_read_device_sysctls(snmpd_t)
+ kernel_read_kernel_sysctls(snmpd_t)
+ kernel_read_net_sysctls(snmpd_t)
+ kernel_read_proc_symlinks(snmpd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.2.29/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2006-03-30 10:16:43.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/services/xserver.if 2006-04-03 10:43:12.000000000 -0400
@@ -383,7 +448,7 @@
libs_use_ld_so(initrc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.29/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2006-03-30 10:18:07.000000000 -0500
-+++ serefpolicy-2.2.29/policy/modules/system/libraries.fc 2006-04-03 12:44:37.000000000 -0400
++++ serefpolicy-2.2.29/policy/modules/system/libraries.fc 2006-04-03 14:29:38.000000000 -0400
@@ -33,6 +33,7 @@
#
/opt(/.*)?/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
@@ -401,7 +466,7 @@
/usr/lib(64)?/pgsql/test/regress/.*\.so -- gen_context(system_u:object_r:shlib_t,s0)
/usr/lib/win32/.* -- gen_context(system_u:object_r:shlib_t,s0)
-@@ -62,6 +65,8 @@
+@@ -62,18 +65,27 @@
/usr/lib(64)?/im/.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
/usr/lib(64)?/iiim/.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
@@ -410,7 +475,10 @@
/usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -70,10 +75,15 @@
+ /usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
++/usr/lib(64)?/vmware/lib(/.*)?/libgdk-x11-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
/usr/(local/)?lib/wine/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?lib/libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
@@ -427,7 +495,7 @@
/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -92,6 +102,7 @@
+@@ -92,6 +104,7 @@
/usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -435,7 +503,7 @@
/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/plugins/oggfformat\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/plugins/theorarend\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -170,10 +181,9 @@
+@@ -170,10 +183,9 @@
# Java, Sun Microsystems (JPackage SRPM)
/usr/.*/jre.*/lib/i386/libdeploy.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.166
retrieving revision 1.167
diff -u -r1.166 -r1.167
--- selinux-policy.spec 3 Apr 2006 17:17:13 -0000 1.166
+++ selinux-policy.spec 4 Apr 2006 10:07:53 -0000 1.167
@@ -16,7 +16,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.2.29
-Release: 2
+Release: 3
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -320,6 +320,9 @@
%endif
%changelog
+* Mon Mar 30 2006 Dan Walsh <dwalsh at redhat.com> 2.2.29-3
+- Get auditctl working in MLS policy
+
* Mon Mar 30 2006 Dan Walsh <dwalsh at redhat.com> 2.2.29-2
- Add mono dbus support
- Lots of file_context fixes for textrel_shlib_t in FC5
More information about the fedora-cvs-commits
mailing list