rpms/selinux-policy/FC-6 booleans-targeted.conf, 1.20, 1.21 modules-mls.conf, 1.22, 1.23 modules-strict.conf, 1.15, 1.16 modules-targeted.conf, 1.40, 1.41 policy-20061106.patch, 1.5, 1.6 selinux-policy.spec, 1.330, 1.331
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Thu Dec 14 20:59:26 UTC 2006
- Previous message (by thread): rpms/kernel/devel linux-2.6-sata-sg_init_one-oops.patch, NONE, 1.1 kernel-2.6.spec, 1.2876, 1.2877
- Next message (by thread): rpms/mkinitrd/devel .cvsignore, 1.144, 1.145 mkinitrd.spec, 1.184, 1.185 sources, 1.178, 1.179
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/FC-6
In directory cvs.devel.redhat.com:/tmp/cvs-serv23116
Modified Files:
booleans-targeted.conf modules-mls.conf modules-strict.conf
modules-targeted.conf policy-20061106.patch
selinux-policy.spec
Log Message:
* Thu Dec 14 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-13
- Fixes for irqbalance
Resolves: #219606
Index: booleans-targeted.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-6/booleans-targeted.conf,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -r1.20 -r1.21
--- booleans-targeted.conf 30 Oct 2006 22:26:17 -0000 1.20
+++ booleans-targeted.conf 14 Dec 2006 20:59:24 -0000 1.21
@@ -1,5 +1,5 @@
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
-nnn#
+#
allow_execmem = false
# Allow making a modified private filemapping executable (text relocation).
Index: modules-mls.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-6/modules-mls.conf,v
retrieving revision 1.22
retrieving revision 1.23
diff -u -r1.22 -r1.23
--- modules-mls.conf 6 Dec 2006 21:33:42 -0000 1.22
+++ modules-mls.conf 14 Dec 2006 20:59:24 -0000 1.23
@@ -1022,3 +1022,10 @@
# PC/SC Smart Card Daemon
#
pcscd = module
+
+# Layer: system
+# Module: tzdata
+#
+# Policy for tzdata-update
+#
+tzdata = base
Index: modules-strict.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-6/modules-strict.conf,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- modules-strict.conf 6 Dec 2006 21:33:42 -0000 1.15
+++ modules-strict.conf 14 Dec 2006 20:59:24 -0000 1.16
@@ -1297,3 +1297,10 @@
# PC/SC Smart Card Daemon
#
pcscd = module
+
+# Layer: system
+# Module: tzdata
+#
+# Policy for tzdata-update
+#
+tzdata = base
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-6/modules-targeted.conf,v
retrieving revision 1.40
retrieving revision 1.41
diff -u -r1.40 -r1.41
--- modules-targeted.conf 6 Dec 2006 21:33:42 -0000 1.40
+++ modules-targeted.conf 14 Dec 2006 20:59:24 -0000 1.41
@@ -1172,3 +1172,12 @@
#
pcscd = module
+# Layer: system
+# Module: tzdata
+#
+# Policy for tzdata-update
+#
+tzdata = base
+
+
+
policy-20061106.patch:
Rules.modular | 10
config/appconfig-strict-mcs/seusers | 1
config/appconfig-strict-mls/seusers | 1
config/appconfig-strict/seusers | 1
policy/flask/access_vectors | 2
policy/global_tunables | 48 ++-
policy/mls | 31 +
policy/modules/admin/acct.te | 1
policy/modules/admin/amanda.if | 17 +
policy/modules/admin/amanda.te | 1
policy/modules/admin/bootloader.fc | 5
policy/modules/admin/bootloader.te | 7
policy/modules/admin/consoletype.te | 10
policy/modules/admin/dmesg.te | 1
policy/modules/admin/firstboot.if | 6
policy/modules/admin/logwatch.te | 1
policy/modules/admin/netutils.te | 2
policy/modules/admin/prelink.te | 9
policy/modules/admin/quota.fc | 7
policy/modules/admin/quota.te | 20 -
policy/modules/admin/rpm.fc | 3
policy/modules/admin/rpm.if | 24 +
policy/modules/admin/rpm.te | 46 +-
policy/modules/admin/su.if | 11
policy/modules/admin/sudo.if | 5
policy/modules/admin/usermanage.te | 4
policy/modules/apps/gpg.if | 1
policy/modules/apps/java.fc | 2
policy/modules/apps/java.te | 2
policy/modules/apps/loadkeys.if | 17 -
policy/modules/apps/slocate.te | 2
policy/modules/kernel/corecommands.fc | 4
policy/modules/kernel/corecommands.if | 36 ++
policy/modules/kernel/corenetwork.if.in | 49 +++
policy/modules/kernel/corenetwork.te.in | 15
policy/modules/kernel/corenetwork.te.m4 | 4
policy/modules/kernel/devices.fc | 5
policy/modules/kernel/devices.te | 8
policy/modules/kernel/domain.te | 7
policy/modules/kernel/files.if | 160 +++++++++-
policy/modules/kernel/filesystem.te | 6
policy/modules/kernel/kernel.te | 2
policy/modules/kernel/mls.if | 8
policy/modules/kernel/mls.te | 6
policy/modules/kernel/terminal.fc | 1
policy/modules/kernel/terminal.if | 2
policy/modules/kernel/terminal.te | 1
policy/modules/services/apache.fc | 10
policy/modules/services/apache.te | 16 -
policy/modules/services/apm.te | 1
policy/modules/services/automount.fc | 1
policy/modules/services/automount.te | 7
policy/modules/services/avahi.if | 21 +
policy/modules/services/bind.fc | 1
policy/modules/services/clamav.te | 2
policy/modules/services/cron.fc | 2
policy/modules/services/cron.if | 49 ---
policy/modules/services/cron.te | 13
policy/modules/services/cups.fc | 2
policy/modules/services/cups.te | 7
policy/modules/services/cvs.te | 1
policy/modules/services/dbus.fc | 1
policy/modules/services/dbus.if | 1
policy/modules/services/ftp.te | 12
policy/modules/services/hal.fc | 4
policy/modules/services/hal.if | 20 +
policy/modules/services/hal.te | 8
policy/modules/services/irqbalance.te | 4
policy/modules/services/kerberos.if | 1
policy/modules/services/kerberos.te | 11
policy/modules/services/lpd.if | 52 +--
policy/modules/services/mta.if | 1
policy/modules/services/mta.te | 1
policy/modules/services/nis.fc | 1
policy/modules/services/nis.if | 8
policy/modules/services/nis.te | 10
policy/modules/services/nscd.if | 20 +
policy/modules/services/nscd.te | 15
policy/modules/services/oddjob.te | 3
policy/modules/services/pcscd.fc | 9
policy/modules/services/pcscd.if | 23 +
policy/modules/services/pcscd.te | 69 ++++
policy/modules/services/pegasus.if | 31 +
policy/modules/services/pegasus.te | 5
policy/modules/services/postfix.te | 13
policy/modules/services/procmail.te | 16 +
policy/modules/services/radvd.te | 2
policy/modules/services/rlogin.te | 10
policy/modules/services/rpc.te | 1
policy/modules/services/rsync.te | 1
policy/modules/services/samba.if | 2
policy/modules/services/samba.te | 8
policy/modules/services/sasl.te | 2
policy/modules/services/smartmon.te | 1
policy/modules/services/snmp.te | 4
policy/modules/services/spamassassin.te | 5
policy/modules/services/ssh.te | 7
policy/modules/services/telnet.te | 1
policy/modules/services/tftp.te | 2
policy/modules/services/uucp.fc | 1
policy/modules/services/uucp.if | 67 ++++
policy/modules/services/uucp.te | 44 ++
policy/modules/services/xserver.if | 40 ++
policy/modules/system/authlogin.if | 69 ++++
policy/modules/system/authlogin.te | 6
policy/modules/system/clock.te | 8
policy/modules/system/fstools.fc | 1
policy/modules/system/fstools.te | 2
policy/modules/system/getty.te | 3
policy/modules/system/hostname.te | 10
policy/modules/system/init.if | 3
policy/modules/system/init.te | 26 +
policy/modules/system/iptables.te | 7
policy/modules/system/libraries.fc | 28 -
policy/modules/system/libraries.te | 6
policy/modules/system/locallogin.if | 37 ++
policy/modules/system/logging.te | 9
policy/modules/system/lvm.fc | 1
policy/modules/system/lvm.te | 48 ++-
policy/modules/system/miscfiles.fc | 1
policy/modules/system/miscfiles.if | 79 +++++
policy/modules/system/modutils.te | 5
policy/modules/system/mount.te | 20 -
policy/modules/system/raid.te | 7
policy/modules/system/selinuxutil.fc | 1
policy/modules/system/selinuxutil.if | 110 ++++++
policy/modules/system/selinuxutil.te | 107 +-----
policy/modules/system/sysnetwork.te | 3
policy/modules/system/tzdata.fc | 3
policy/modules/system/tzdata.if | 23 +
policy/modules/system/tzdata.te | 28 +
policy/modules/system/unconfined.fc | 4
policy/modules/system/unconfined.if | 19 +
policy/modules/system/unconfined.te | 19 +
policy/modules/system/userdomain.if | 503 ++++++++++++++++++++++++++++----
policy/modules/system/userdomain.te | 60 +--
policy/modules/system/xen.fc | 1
policy/modules/system/xen.te | 35 ++
138 files changed, 2120 insertions(+), 454 deletions(-)
View full diff with command:
/usr/bin/cvs -f diff -kk -u -N -r 1.5 -r 1.6 policy-20061106.patch
Index: policy-20061106.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-6/policy-20061106.patch,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- policy-20061106.patch 6 Dec 2006 21:33:42 -0000 1.5
+++ policy-20061106.patch 14 Dec 2006 20:59:24 -0000 1.6
@@ -1,6 +1,27 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict/seusers serefpolicy-2.4.6/config/appconfig-strict/seusers
+--- nsaserefpolicy/config/appconfig-strict/seusers 2006-11-16 17:15:27.000000000 -0500
++++ serefpolicy-2.4.6/config/appconfig-strict/seusers 2006-12-14 14:55:59.000000000 -0500
+@@ -1,2 +1,3 @@
++system_u:system_u
+ root:root
+ __default__:user_u
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mcs/seusers serefpolicy-2.4.6/config/appconfig-strict-mcs/seusers
+--- nsaserefpolicy/config/appconfig-strict-mcs/seusers 2006-11-16 17:15:27.000000000 -0500
++++ serefpolicy-2.4.6/config/appconfig-strict-mcs/seusers 2006-12-14 14:57:01.000000000 -0500
+@@ -1,2 +1,3 @@
++system_u:system_u:s0-mcs_systemhigh
+ root:root:s0-mcs_systemhigh
+ __default__:user_u:s0
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/seusers serefpolicy-2.4.6/config/appconfig-strict-mls/seusers
+--- nsaserefpolicy/config/appconfig-strict-mls/seusers 2006-11-16 17:15:27.000000000 -0500
++++ serefpolicy-2.4.6/config/appconfig-strict-mls/seusers 2006-12-14 14:55:40.000000000 -0500
+@@ -1,2 +1,3 @@
++system_u:system_u:s0-mls_systemhigh
+ root:root:s0-mls_systemhigh
+ __default__:user_u:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-2.4.6/policy/flask/access_vectors
--- nsaserefpolicy/policy/flask/access_vectors 2006-11-16 17:15:00.000000000 -0500
-+++ serefpolicy-2.4.6/policy/flask/access_vectors 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/flask/access_vectors 2006-12-12 15:19:22.000000000 -0500
@@ -619,6 +619,8 @@
send
recv
@@ -12,7 +33,7 @@
class key
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.4.6/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/global_tunables 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/global_tunables 2006-12-13 17:53:00.000000000 -0500
@@ -82,6 +82,14 @@
## <desc>
@@ -59,7 +80,7 @@
## Allow mount to mount any file
## </p>
## </desc>
-@@ -596,8 +619,23 @@
+@@ -596,8 +619,31 @@
## <desc>
## <p>
@@ -84,9 +105,91 @@
+## </p>
+## </desc>
+gen_tunable(use_lpd_server,false)
++
++## <desc>
++## <p>
++## Allow unlabeled packets to work on system
++## </p>
++## </desc>
++gen_tunable(allow_unlabeled_packets,true)
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-2.4.6/policy/mls
+--- nsaserefpolicy/policy/mls 2006-11-16 17:15:26.000000000 -0500
++++ serefpolicy-2.4.6/policy/mls 2006-12-12 16:40:35.000000000 -0500
+@@ -89,12 +89,14 @@
+ mlsconstrain { file lnk_file fifo_file dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton }
+ (( l1 eq l2 ) or
+ (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+- (( t2 == mlsfilewriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+ ( t1 == mlsfilewrite ) or
++ (( t2 == mlsrangedobject ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+ ( t2 == mlstrustedobject ));
+
++# Directory "write" ops
+ mlsconstrain dir { add_name remove_name reparent rmdir }
+- ((( l1 dom l2 ) and ( l1 domby h2 )) or
++ (( l1 eq l2 ) or
++ (( t1 == mlsfilewriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
+ (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsfilewrite ) or
+ ( t2 == mlstrustedobject ));
+@@ -165,8 +167,20 @@
+ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
+ ( h1 dom h2 );
+
++# the socket "read+write" ops
++# (Socket FDs are generally bidirectional, equivalent to open(..., O_RDWR),
++# require equal levels for unprivileged subjects, or read *and* write overrides)
++mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { accept connect }
++ (( l1 eq l2 ) or
++ (((( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
++ ( t1 == mlsnetread )) and
++ ((( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
++ (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
++ ( t1 == mlsnetwrite ))));
++
++
+ # the socket "read" ops (note the check is dominance of the low level)
+-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recv_msg }
++mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen getopt recv_msg }
+ (( l1 dom l2 ) or
+ (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsnetread ));
+@@ -177,8 +191,9 @@
+ ( t1 == mlsnetread ));
+
+ # the socket "write" ops
+-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown }
+- ((( l1 dom l2 ) and ( l1 domby h2 )) or
++mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom setopt shutdown }
++ (( l1 eq l2 ) or
++ (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
+ (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsnetwrite ));
+
+@@ -274,7 +289,8 @@
+
+ # the netif/node "write" ops (implicit single level socket doing the write)
+ mlsconstrain { netif node } { tcp_send udp_send rawip_send }
+- (( l1 dom l2 ) and ( l1 domby h2 ));
++ (( l1 eq l2 ) or
++ (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )));
+
+ # these access vectors have no MLS restrictions
+ # node enforce_dest
+@@ -581,7 +597,8 @@
+ ( t2 == unlabeled_t ));
+
+ mlsconstrain association { sendto }
+- ((( l1 dom l2 ) and ( l1 domby h2 )) or
++ (( l1 eq l2 ) or
++ (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
+ ( t2 == unlabeled_t ));
+
+ mlsconstrain association { polmatch }
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te serefpolicy-2.4.6/policy/modules/admin/acct.te
--- nsaserefpolicy/policy/modules/admin/acct.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/acct.te 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/acct.te 2006-12-12 15:19:22.000000000 -0500
@@ -9,6 +9,7 @@
type acct_t;
type acct_exec_t;
@@ -97,7 +200,7 @@
logging_log_file(acct_data_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.if serefpolicy-2.4.6/policy/modules/admin/amanda.if
--- nsaserefpolicy/policy/modules/admin/amanda.if 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/amanda.if 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/amanda.if 2006-12-12 15:19:22.000000000 -0500
@@ -127,4 +127,21 @@
allow $1 amanda_log_t:file ra_file_perms;
')
@@ -122,7 +225,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-2.4.6/policy/modules/admin/amanda.te
--- nsaserefpolicy/policy/modules/admin/amanda.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/amanda.te 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/amanda.te 2006-12-12 15:19:22.000000000 -0500
@@ -75,6 +75,7 @@
allow amanda_t self:unix_dgram_socket create_socket_perms;
allow amanda_t self:tcp_socket create_stream_socket_perms;
@@ -131,10 +234,35 @@
# access to amanda_amandates_t
allow amanda_t amanda_amandates_t:file { getattr lock read write };
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.fc serefpolicy-2.4.6/policy/modules/admin/bootloader.fc
+--- nsaserefpolicy/policy/modules/admin/bootloader.fc 2006-11-16 17:15:26.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/bootloader.fc 2006-12-12 15:19:22.000000000 -0500
+@@ -2,11 +2,6 @@
+ /etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
+ /etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
+
+-/etc/mkinitrd/scripts/.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+-
+-/usr/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+-
+ /sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+ /sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+-/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+ /sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-2.4.6/policy/modules/admin/bootloader.te
--- nsaserefpolicy/policy/modules/admin/bootloader.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/bootloader.te 2006-12-05 13:19:41.000000000 -0500
-@@ -218,3 +218,7 @@
++++ serefpolicy-2.4.6/policy/modules/admin/bootloader.te 2006-12-12 15:19:22.000000000 -0500
+@@ -163,9 +163,6 @@
+ # new file system defaults to file_t, granting file_t access is still bad.
+ allow bootloader_t boot_runtime_t:file { r_file_perms unlink };
+
+- # mkinitrd mount initrd on bootloader temp dir
+- files_mountpoint(bootloader_tmp_t)
+-
+ # new file system defaults to file_t, granting file_t access is still bad.
+ files_manage_isid_type_dirs(bootloader_t)
+ files_manage_isid_type_files(bootloader_t)
[...1753 lines suppressed...]
++miscfiles_read_localization(tzdata_t)
++
++files_search_spool(tzdata_t)
++miscfiles_manage_localization(tzdata_t)
++miscfiles_etc_filetrans_localization(tzdata_t)
++
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-2.4.6/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/unconfined.fc 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/unconfined.fc 2006-12-12 15:19:22.000000000 -0500
@@ -7,6 +7,8 @@
ifdef(`targeted_policy',`
/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
@@ -3685,7 +4347,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.4.6/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/unconfined.if 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/unconfined.if 2006-12-12 15:19:22.000000000 -0500
@@ -31,6 +31,7 @@
allow $1 self:nscd *;
allow $1 self:dbus *;
@@ -3721,7 +4383,7 @@
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.4.6/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/unconfined.te 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/unconfined.te 2006-12-12 15:19:22.000000000 -0500
@@ -83,6 +83,9 @@
optional_policy(`
networkmanager_dbus_chat(unconfined_t)
@@ -3741,16 +4403,20 @@
')
optional_policy(`
-@@ -173,6 +178,8 @@
+@@ -173,6 +178,12 @@
optional_policy(`
xserver_domtrans_xdm_xserver(unconfined_t)
')
+ mcs_killall(unconfined_t)
+ mcs_ptrace_all(unconfined_t)
++
++ optional_policy(`
++ tzdata_domtrans(unconfined_t)
++ ')
')
########################################
-@@ -181,10 +188,18 @@
+@@ -181,10 +192,18 @@
#
ifdef(`targeted_policy',`
@@ -3771,7 +4437,7 @@
init_dbus_chat_script(unconfined_execmem_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.4.6/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2006-11-29 09:27:47.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/userdomain.if 2006-12-06 11:27:19.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/userdomain.if 2006-12-12 15:19:22.000000000 -0500
@@ -22,9 +22,9 @@
## <rolebase/>
#
@@ -3815,7 +4481,7 @@
- files_poly($1_home_dir_t)
- files_poly_member($1_home_t)
- ')
-+ type_member $1_t $1_home_dir_t:dir $1_home_t;
++ type_member $1_t $1_home_dir_t:dir $1_home_dir_t;
+ files_poly($1_home_dir_t)
+ files_poly_parent($1_home_dir_t)
+ files_poly_parent($1_home_t)
@@ -3841,7 +4507,7 @@
- ifdef(`enable_polyinstantiation',`
- files_poly_member_tmp($1_t,$1_tmp_t)
- ')
-+ files_poly_member_tmp($1_t,$1_tmp_t)
++ files_poly_member_tmp($1_t,tmp_t)
')
#######################################
@@ -4060,7 +4726,7 @@
## Read files in generic user home directories.
## </summary>
## <param name="domain">
-@@ -5497,3 +5506,363 @@
+@@ -5497,3 +5506,383 @@
allow $1 user_home_dir_t:dir create_dir_perms;
files_home_filetrans($1,user_home_dir_t,dir)
')
@@ -4424,9 +5090,29 @@
+ allow $1 home_type:dir { relabelfrom relabelto };
+')
+
++
++########################################
++## <summary>
++## getattr all executables
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`userdom_getattr_all_executables',`
++ gen_require(`
++ attribute user_exec_type;
++ ')
++
++ allow $1 user_exec_type:file getattr;
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.4.6/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/userdomain.te 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/userdomain.te 2006-12-14 13:55:38.000000000 -0500
@@ -24,6 +24,9 @@
# users home directory contents
attribute home_type;
@@ -4463,7 +5149,22 @@
',`
logging_manage_audit_log(sysadm_t)
logging_manage_audit_config(sysadm_t)
-@@ -229,7 +213,6 @@
+@@ -181,6 +165,14 @@
+ ')
+
+ optional_policy(`
++ tzdata_domtrans(sysadm_t)
++ ')
++
++ optional_policy(`
++ raid_domtrans_mdadm(sysadm_t)
++ ')
++
++ optional_policy(`
+ # cjp: why is this not apm_run_client
+ apm_domtrans_client(sysadm_t)
+ ')
+@@ -229,7 +221,6 @@
consoletype_exec(sysadm_t)
ifdef(`enable_mls',`
@@ -4471,7 +5172,7 @@
consoletype_exec(auditadm_t)
')
')
-@@ -248,7 +231,6 @@
+@@ -248,7 +239,6 @@
dmesg_exec(sysadm_t)
ifdef(`enable_mls',`
@@ -4479,7 +5180,7 @@
dmesg_exec(auditadm_t)
')
')
-@@ -383,27 +365,12 @@
+@@ -383,27 +373,12 @@
seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal)
ifdef(`enable_mls',`
@@ -4512,7 +5213,7 @@
')
')
-@@ -428,6 +395,9 @@
+@@ -428,6 +403,9 @@
')
optional_policy(`
@@ -4524,7 +5225,7 @@
usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-2.4.6/policy/modules/system/xen.fc
--- nsaserefpolicy/policy/modules/system/xen.fc 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/xen.fc 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/xen.fc 2006-12-12 15:19:22.000000000 -0500
@@ -8,6 +8,7 @@
/usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
@@ -4535,7 +5236,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.4.6/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/xen.te 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/xen.te 2006-12-12 15:19:22.000000000 -0500
@@ -86,8 +86,8 @@
allow xend_t self:tcp_socket create_stream_socket_perms;
allow xend_t self:packet_socket create_socket_perms;
@@ -4627,7 +5328,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-2.4.6/Rules.modular
--- nsaserefpolicy/Rules.modular 2006-11-16 17:15:29.000000000 -0500
-+++ serefpolicy-2.4.6/Rules.modular 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/Rules.modular 2006-12-12 15:19:22.000000000 -0500
@@ -219,6 +219,16 @@
########################################
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-6/selinux-policy.spec,v
retrieving revision 1.330
retrieving revision 1.331
diff -u -r1.330 -r1.331
--- selinux-policy.spec 6 Dec 2006 21:33:42 -0000 1.330
+++ selinux-policy.spec 14 Dec 2006 20:59:24 -0000 1.331
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.4.6
-Release: 7%{?dist}
+Release: 13%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -351,11 +351,34 @@
%endif
%changelog
+* Thu Dec 14 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-13
+- Fixes for irqbalance
+Resolves: #219606
+
+* Thu Dec 14 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-12
+- Fix vixie-cron to work on mls
+Resolves: #207433
+
+* Wed Dec 13 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-11
+Resolves: #218978
+
+* Tue Dec 12 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-10
+- Allow initrc to create files in /var directories
+Resolves: #219227
+
+* Fri Dec 8 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-9
+- More fixes for MLS
+Resolves: #181566
+
+* Wed Dec 6 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-8
+- More Fixes polyinstatiation
+Resolves: #216184
+
* Wed Dec 6 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-7
- More Fixes polyinstatiation
- Fix handling of keyrings
-
Resolves: #216184
+
* Mon Dec 4 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-6
- Fix polyinstatiation
- Fix pcscd handling of terminal
- Previous message (by thread): rpms/kernel/devel linux-2.6-sata-sg_init_one-oops.patch, NONE, 1.1 kernel-2.6.spec, 1.2876, 1.2877
- Next message (by thread): rpms/mkinitrd/devel .cvsignore, 1.144, 1.145 mkinitrd.spec, 1.184, 1.185 sources, 1.178, 1.179
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list