rpms/selinux-policy/devel .cvsignore, 1.44, 1.45 policy-20060207.patch, 1.19, 1.20 selinux-policy.spec, 1.121, 1.122 sources, 1.48, 1.49
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Thu Feb 23 15:12:41 UTC 2006
- Previous message (by thread): rpms/glibc/FC-4 glibc-i386-futex-timed-wait.patch, NONE, 1.1 glibc-20050815-20051104.patch, 1.2, 1.3 glibc-aio-rh171968.patch, 1.1, 1.2 glibc-rh168266.patch, 1.1, 1.2 glibc.spec, 1.164, 1.165
- Next message (by thread): rpms/gnome-applets/devel gnome-applets-2.13.4-stock-ticker.patch, NONE, 1.1 gnome-applets.spec, 1.114, 1.115
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv8870
Modified Files:
.cvsignore policy-20060207.patch selinux-policy.spec sources
Log Message:
Index: .cvsignore
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/.cvsignore,v
retrieving revision 1.44
retrieving revision 1.45
diff -u -r1.44 -r1.45
--- .cvsignore 22 Feb 2006 22:46:02 -0000 1.44
+++ .cvsignore 23 Feb 2006 15:12:37 -0000 1.45
@@ -45,3 +45,4 @@
serefpolicy-2.2.18.tgz
serefpolicy-2.2.19.tgz
serefpolicy-2.2.20.tgz
+serefpolicy-2.2.21.tgz
policy-20060207.patch:
admin/logwatch.te | 2 ++
admin/vpn.te | 4 ++++
apps/java.if | 8 ++------
kernel/devices.fc | 1 +
kernel/files.if | 3 ++-
kernel/files.te | 1 +
services/apache.fc | 2 +-
services/apache.if | 21 +++++++++++++++++++++
services/automount.te | 7 +++++--
services/cron.te | 3 +++
services/hal.te | 2 +-
system/fstools.te | 2 +-
system/mount.te | 2 +-
system/selinuxutil.te | 5 +----
14 files changed, 46 insertions(+), 17 deletions(-)
Index: policy-20060207.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060207.patch,v
retrieving revision 1.19
retrieving revision 1.20
diff -u -r1.19 -r1.20
--- policy-20060207.patch 22 Feb 2006 22:46:02 -0000 1.19
+++ policy-20060207.patch 23 Feb 2006 15:12:37 -0000 1.20
@@ -1,17 +1,6 @@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/doc/Makefile.example serefpolicy-2.2.20/doc/Makefile.example
---- nsaserefpolicy/doc/Makefile.example 2006-02-22 14:08:56.000000000 -0500
-+++ serefpolicy-2.2.20/doc/Makefile.example 2006-02-22 14:29:48.000000000 -0500
-@@ -3,6 +3,6 @@
-
- NAME ?= $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config)
- SHAREDIR ?= /usr/share/selinux
--HEADERDIR := $(SHAREDIR)/$(NAME)/include
-+HEADERDIR := $(SHAREDIR)/refpolicy/include
-
- include $(HEADERDIR)/Makefile
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-2.2.20/policy/modules/admin/logwatch.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-2.2.21/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2006-02-21 14:40:22.000000000 -0500
-+++ serefpolicy-2.2.20/policy/modules/admin/logwatch.te 2006-02-22 14:22:49.000000000 -0500
++++ serefpolicy-2.2.21/policy/modules/admin/logwatch.te 2006-02-23 09:41:46.000000000 -0500
@@ -71,6 +71,8 @@
selinux_dontaudit_getattr_dir(logwatch_t)
@@ -21,45 +10,9 @@
userdom_dontaudit_search_sysadm_home_dirs(logwatch_t)
userdom_dontaudit_getattr_sysadm_home_dirs(logwatch_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-2.2.20/policy/modules/admin/su.if
---- nsaserefpolicy/policy/modules/admin/su.if 2006-02-21 14:40:22.000000000 -0500
-+++ serefpolicy-2.2.20/policy/modules/admin/su.if 2006-02-22 14:22:49.000000000 -0500
-@@ -220,6 +220,14 @@
- nscd_socket_use($1_su_t)
- ')
-
-+ # Modify .Xauthority file (via xauth program).
-+ optional_policy(`xserver',`
-+# file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
-+# file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file)
-+# file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file)
-+ xserver_domtrans_user_xauth($1, $1_su_t)
-+ ')
-+
- ifdef(`TODO',`
- # Caused by su - init scripts
- dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
-@@ -235,17 +243,6 @@
- dontaudit $1_su_t home_dir_type:dir { search write };
- ')
-
-- # Modify .Xauthority file (via xauth program).
-- ifdef(`xauth.te', `
-- file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
-- file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file)
-- file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file)
-- domain_auto_trans($1_su_t, xauth_exec_t, $1_xauth_t)
-- ')
--
-- ifdef(`cyrus.te', `
-- allow $1_su_t cyrus_var_lib_t:dir search;
-- ')
- ifdef(`ssh.te', `
- # Access sshd cookie files.
- allow $1_su_t sshd_tmp_t:file rw_file_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-2.2.20/policy/modules/admin/vpn.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-2.2.21/policy/modules/admin/vpn.te
--- nsaserefpolicy/policy/modules/admin/vpn.te 2006-02-21 14:40:23.000000000 -0500
-+++ serefpolicy-2.2.20/policy/modules/admin/vpn.te 2006-02-22 14:22:49.000000000 -0500
++++ serefpolicy-2.2.21/policy/modules/admin/vpn.te 2006-02-23 09:41:46.000000000 -0500
@@ -106,6 +106,10 @@
optional_policy(`dbus',`
@@ -71,9 +24,9 @@
')
optional_policy(`mount',`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-2.2.20/policy/modules/apps/java.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-2.2.21/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2006-02-21 14:40:23.000000000 -0500
-+++ serefpolicy-2.2.20/policy/modules/apps/java.if 2006-02-22 14:22:49.000000000 -0500
++++ serefpolicy-2.2.21/policy/modules/apps/java.if 2006-02-23 09:41:46.000000000 -0500
@@ -149,13 +149,9 @@
userdom_manage_user_home_content_sockets($1,$1_javaplugin_t)
userdom_user_home_dir_filetrans_user_home_content($1,$1_javaplugin_t,{ file lnk_file sock_file fifo_file })
@@ -90,70 +43,20 @@
allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-2.2.20/policy/modules/apps/slocate.te
---- nsaserefpolicy/policy/modules/apps/slocate.te 2006-01-25 15:58:58.000000000 -0500
-+++ serefpolicy-2.2.20/policy/modules/apps/slocate.te 2006-02-22 14:22:49.000000000 -0500
-@@ -36,6 +36,8 @@
-
- files_list_all(locate_t)
- files_getattr_all_files(locate_t)
-+# mls Higher level directories will be refused, so dontaudit
-+files_dontaudit_getattr_all_dirs(locate_t)
- files_read_etc_runtime_files(locate_t)
- files_read_etc_files(locate_t)
-
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-2.2.20/policy/modules/kernel/devices.if
---- nsaserefpolicy/policy/modules/kernel/devices.if 2006-02-21 14:40:23.000000000 -0500
-+++ serefpolicy-2.2.20/policy/modules/kernel/devices.if 2006-02-22 14:22:49.000000000 -0500
-@@ -1115,6 +1115,45 @@
-
- ########################################
- ## <summary>
-+## Setattr the dri devices.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_setattr_dri_dev',`
-+ gen_require(`
-+ type device_t, dri_device_t;
-+ ')
-+
-+ allow $1 device_t:dir r_dir_perms;
-+ allow $1 dri_device_t:chr_file setattr;
-+')
-+
-+########################################
-+## <summary>
-+## getattr the dri devices.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_getattr_dri_dev',`
-+ gen_require(`
-+ type device_t, dri_device_t;
-+ ')
-+
-+ allow $1 device_t:dir r_dir_perms;
-+ allow $1 dri_device_t:chr_file getattr;
-+')
-+
-+
-+########################################
-+## <summary>
- ## Read input event devices (/dev/input).
- ## </summary>
- ## <param name="domain">
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.20/policy/modules/kernel/files.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-2.2.21/policy/modules/kernel/devices.fc
+--- nsaserefpolicy/policy/modules/kernel/devices.fc 2006-02-14 07:20:25.000000000 -0500
++++ serefpolicy-2.2.21/policy/modules/kernel/devices.fc 2006-02-23 10:01:17.000000000 -0500
+@@ -39,6 +39,7 @@
+ /dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/random -c gen_context(system_u:object_r:random_device_t,s0)
+ /dev/(misc/)?rtc -c gen_context(system_u:object_r:clock_device_t,s0)
++/dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0)
+ /dev/sequencer -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/smpte.* -c gen_context(system_u:object_r:sound_device_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.21/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2006-02-21 14:40:23.000000000 -0500
-+++ serefpolicy-2.2.20/policy/modules/kernel/files.if 2006-02-22 17:28:29.000000000 -0500
++++ serefpolicy-2.2.21/policy/modules/kernel/files.if 2006-02-23 09:41:46.000000000 -0500
@@ -3358,10 +3358,11 @@
allow $1 self:process setfscreate;
allow $1 polymember: dir { create setattr };
@@ -167,9 +70,9 @@
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-2.2.20/policy/modules/kernel/files.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-2.2.21/policy/modules/kernel/files.te
--- nsaserefpolicy/policy/modules/kernel/files.te 2006-02-14 07:20:25.000000000 -0500
-+++ serefpolicy-2.2.20/policy/modules/kernel/files.te 2006-02-22 17:01:45.000000000 -0500
++++ serefpolicy-2.2.21/policy/modules/kernel/files.te 2006-02-23 09:41:46.000000000 -0500
@@ -125,6 +125,7 @@
#
type tmp_t, mountpoint; #, polydir
@@ -178,9 +81,9 @@
#
# usr_t is the type for /usr.
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-2.2.20/policy/modules/services/apache.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-2.2.21/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2006-02-14 07:20:25.000000000 -0500
-+++ serefpolicy-2.2.20/policy/modules/services/apache.fc 2006-02-22 14:22:49.000000000 -0500
++++ serefpolicy-2.2.21/policy/modules/services/apache.fc 2006-02-23 09:41:46.000000000 -0500
@@ -45,7 +45,7 @@
/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
@@ -190,9 +93,9 @@
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-2.2.20/policy/modules/services/apache.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-2.2.21/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2006-02-21 14:40:23.000000000 -0500
-+++ serefpolicy-2.2.20/policy/modules/services/apache.if 2006-02-22 14:28:46.000000000 -0500
++++ serefpolicy-2.2.21/policy/modules/services/apache.if 2006-02-23 09:41:46.000000000 -0500
@@ -94,6 +94,7 @@
corecmd_exec_bin(httpd_$1_script_t)
@@ -232,9 +135,18 @@
+ allow $1 httpd_sys_content_t:dir r_dir_perms;
+ allow $1 httpd_sys_content_t:file { getattr read };
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.2.20/policy/modules/services/automount.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.2.21/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2006-02-21 14:40:23.000000000 -0500
-+++ serefpolicy-2.2.20/policy/modules/services/automount.te 2006-02-22 14:22:49.000000000 -0500
++++ serefpolicy-2.2.21/policy/modules/services/automount.te 2006-02-23 10:09:09.000000000 -0500
+@@ -28,7 +28,7 @@
+ # Local policy
+ #
+
+-allow automount_t self:capability { net_bind_service sys_nice dac_override };
++allow automount_t self:capability { net_bind_service sys_nice sys_resource dac_override };
+ dontaudit automount_t self:capability sys_tty_config;
+ allow automount_t self:process { signal_perms getpgid setpgid setsched };
+ allow automount_t self:fifo_file rw_file_perms;
@@ -83,6 +83,9 @@
corenet_tcp_connect_portmap_port(automount_t)
corenet_tcp_connect_all_ports(automount_t)
@@ -245,37 +157,18 @@
dev_read_sysfs(automount_t)
# for SSP
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-2.2.20/policy/modules/services/cron.if
---- nsaserefpolicy/policy/modules/services/cron.if 2006-02-21 14:40:23.000000000 -0500
-+++ serefpolicy-2.2.20/policy/modules/services/cron.if 2006-02-22 14:22:49.000000000 -0500
-@@ -434,6 +434,24 @@
+@@ -91,7 +94,7 @@
+ domain_use_interactive_fds(automount_t)
- ########################################
- ## <summary>
-+## Read and write a cron daemon system pipe.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`cron_rw_system_pipes',`
-+ gen_require(`
-+ type system_crond_t;
-+ ')
-+
-+ allow $1 system_crond_t:fifo_file { getattr read write };
-+')
-+
-+########################################
-+## <summary>
- ## Read, and write cron daemon TCP sockets.
- ## </summary>
- ## <param name="domain">
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.2.20/policy/modules/services/cron.te
---- nsaserefpolicy/policy/modules/services/cron.te 2006-02-21 14:40:23.000000000 -0500
-+++ serefpolicy-2.2.20/policy/modules/services/cron.te 2006-02-22 14:22:49.000000000 -0500
+ files_dontaudit_write_var_dirs(automount_t)
+-files_search_var_lib(automount_t)
++files_getattr_all_dirs(automount_t)
+ files_list_mnt(automount_t)
+ files_getattr_home_dir(automount_t)
+ files_read_etc_files(automount_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.2.21/policy/modules/services/cron.te
+--- nsaserefpolicy/policy/modules/services/cron.te 2006-02-23 09:25:09.000000000 -0500
++++ serefpolicy-2.2.21/policy/modules/services/cron.te 2006-02-23 09:41:46.000000000 -0500
@@ -360,6 +360,9 @@
optional_policy(`apache',`
# Needed for certwatch
@@ -286,84 +179,21 @@
')
optional_policy(`cyrus',`
-@@ -398,6 +401,10 @@
- prelink_delete_cache(system_crond_t)
- ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.2.21/policy/modules/services/hal.te
+--- nsaserefpolicy/policy/modules/services/hal.te 2006-02-21 14:40:23.000000000 -0500
++++ serefpolicy-2.2.21/policy/modules/services/hal.te 2006-02-23 10:11:00.000000000 -0500
+@@ -93,7 +93,7 @@
+
+ fs_getattr_all_fs(hald_t)
+ fs_search_all(hald_t)
+-fs_search_auto_mountpoints(hald_t)
++fs_list_auto_mountpoints(hald_t)
-+ optional_policy(`postfix',`
-+ postfix_read_config(system_crond_t)
-+ ')
-+
- optional_policy(`samba',`
- samba_read_config(system_crond_t)
- samba_read_log(system_crond_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-2.2.20/policy/modules/services/cups.if
---- nsaserefpolicy/policy/modules/services/cups.if 2006-02-10 21:34:13.000000000 -0500
-+++ serefpolicy-2.2.20/policy/modules/services/cups.if 2006-02-22 14:22:49.000000000 -0500
-@@ -169,6 +169,25 @@
+ mls_file_read_up(hald_t)
- ########################################
- ## <summary>
-+## write cups log files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`cups_write_log',`
-+ gen_require(`
-+ type cupsd_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ allow $1 cupsd_log_t:file write;
-+')
-+
-+########################################
-+## <summary>
- ## Connect to ptal over an unix domain stream socket.
- ## </summary>
- ## <param name="domain">
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.2.20/policy/modules/services/postfix.te
---- nsaserefpolicy/policy/modules/services/postfix.te 2006-02-21 14:40:24.000000000 -0500
-+++ serefpolicy-2.2.20/policy/modules/services/postfix.te 2006-02-22 14:22:49.000000000 -0500
-@@ -440,6 +440,7 @@
- optional_policy(`crond',`
- cron_use_fd(postfix_postdrop_t)
- cron_rw_pipes(postfix_postdrop_t)
-+ cron_rw_system_pipes(postfix_postdrop_t)
- cron_use_system_job_fds(postfix_postdrop_t)
- cron_rw_system_job_pipes(postfix_postdrop_t)
- ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-2.2.20/policy/modules/services/ssh.if
---- nsaserefpolicy/policy/modules/services/ssh.if 2006-02-21 14:40:25.000000000 -0500
-+++ serefpolicy-2.2.20/policy/modules/services/ssh.if 2006-02-22 14:22:49.000000000 -0500
-@@ -279,6 +279,8 @@
-
- allow $1_ssh_agent_t { $1_ssh_agent_t $2 }:process signull;
-
-+ allow $1_ssh_agent_t $1_ssh_agent_t:unix_stream_socket { connectto rw_socket_perms };
-+
- allow $1_ssh_t $1_ssh_agent_t:unix_stream_socket connectto;
-
- # for ssh-add
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.2.20/policy/modules/system/authlogin.te
---- nsaserefpolicy/policy/modules/system/authlogin.te 2006-02-21 14:40:25.000000000 -0500
-+++ serefpolicy-2.2.20/policy/modules/system/authlogin.te 2006-02-22 14:22:49.000000000 -0500
-@@ -153,6 +153,8 @@
- dev_read_sysfs(pam_console_t)
- dev_getattr_apm_bios_dev(pam_console_t)
- dev_setattr_apm_bios_dev(pam_console_t)
-+dev_getattr_dri_dev(pam_console_t)
-+dev_setattr_dri_dev(pam_console_t)
- dev_getattr_framebuffer_dev(pam_console_t)
- dev_setattr_framebuffer_dev(pam_console_t)
- dev_getattr_misc_dev(pam_console_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.2.20/policy/modules/system/fstools.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.2.21/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2006-02-21 14:40:25.000000000 -0500
-+++ serefpolicy-2.2.20/policy/modules/system/fstools.te 2006-02-22 14:22:49.000000000 -0500
++++ serefpolicy-2.2.21/policy/modules/system/fstools.te 2006-02-23 09:41:46.000000000 -0500
@@ -45,7 +45,7 @@
files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir })
@@ -373,158 +203,22 @@
kernel_read_system_state(fsadm_t)
kernel_read_kernel_sysctls(fsadm_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.2.20/policy/modules/system/mount.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.2.21/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2006-02-21 14:40:25.000000000 -0500
-+++ serefpolicy-2.2.20/policy/modules/system/mount.te 2006-02-22 14:22:49.000000000 -0500
-@@ -137,6 +137,8 @@
- samba_domtrans_smbmount(mount_t)
- ')
-
-+userdom_mounton_generic_user_home_dir(mount_t)
-+
- ifdef(`TODO',`
- # TODO: Need to examine this further. Not sure how to handle this
- #type sysadm_mount_source_t, file_type, sysadmfile, $1_file_type;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-2.2.20/policy/modules/system/selinuxutil.fc
---- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2006-01-09 11:32:54.000000000 -0500
-+++ serefpolicy-2.2.20/policy/modules/system/selinuxutil.fc 2006-02-22 17:10:36.000000000 -0500
-@@ -39,3 +39,10 @@
- ifdef(`distro_debian', `
- /usr/share/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0)
- ')
-+
-+/usr/sbin/semodule -- gen_context(system_u:object_r:semodule_exec_t,s0)
-+
-+/etc/selinux/([^/]*/)?modules -d gen_context(system_u:object_r:selinux_config_t,s0)
-+/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? -- gen_context(system_u:object_r:semodule_store_t,s0)
-+/etc/selinux/([^/]*/)?modules/semanage.read.LOCK -- gen_context(system_u:object_r:semodule_read_lock_t,s0)
-+/etc/selinux/([^/]*/)?modules/semanage.trans.LOCK -- gen_context(system_u:object_r:semodule_trans_lock_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-2.2.20/policy/modules/system/selinuxutil.if
---- nsaserefpolicy/policy/modules/system/selinuxutil.if 2006-02-21 14:40:25.000000000 -0500
-+++ serefpolicy-2.2.20/policy/modules/system/selinuxutil.if 2006-02-22 14:22:49.000000000 -0500
-@@ -778,3 +778,90 @@
- allow $1 policy_src_t:dir create_dir_perms;
- allow $1 policy_src_t:file create_file_perms;
- ')
-+
-+########################################
-+## <summary>
-+## Execute a domain transition to run semodule.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`semodule_domtrans',`
-+ gen_require(`
-+ type semodule_t, semodule_exec_t;
-+ ')
-+ files_search_usr($1)
-+ corecmd_search_bin($1)
-+
-+ domain_auto_trans($1,semodule_exec_t,semodule_t)
-+
-+ allow $1 semodule_t:fd use;
-+ allow semodule_t $1:fd use;
-+ allow semodule_t $1:fifo_file rw_file_perms;
-+ allow semodule_t $1:process sigchld;
-+')
-+
-+
-+
-+########################################
-+## <summary>
-+## Create, read, write, and delete files in
-+## /etc/selinux/*/modules/*
-+## such as mtab.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`seutil_manage_module_store_files',`
-+ gen_require(`
-+ type semodule_store_t;
-+ ')
-+
-+ allow $1 semodule_store_t:dir rw_dir_perms;
-+ allow $1 semodule_store_t:file create_file_perms;
-+ type_transition $1 selinux_config_t:dir semodule_store_t;
-+')
-+
-+
-+#######################################
-+## <summary>
-+## Get read lock on module store
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## The type of the process performing this action.
-+## </summary>
-+## </param>
-+#
-+interface(`seutil_module_get_read_lock',`
-+ gen_require(`
-+ type semodule_read_lock_t;
-+ ')
-+
-+ allow $1 semodule_read_lock_t:file rw_file_perms;
-+')
-+
-+#######################################
-+## <summary>
-+## Get trans lock on module store
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## The type of the process performing this action.
-+## </summary>
-+## </param>
-+#
-+interface(`seutil_module_get_trans_lock',`
-+ gen_require(`
-+ type semodule_trans_lock_t;
-+ ')
-+
-+ allow $1 semodule_trans_lock_t:file rw_file_perms;
-+')
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.2.20/policy/modules/system/selinuxutil.te
---- nsaserefpolicy/policy/modules/system/selinuxutil.te 2006-02-21 14:40:25.000000000 -0500
-+++ serefpolicy-2.2.20/policy/modules/system/selinuxutil.te 2006-02-22 14:22:49.000000000 -0500
-@@ -103,6 +103,27 @@
-
- ########################################
- #
-+# semodule Declarations
-+#
-+
-+type semodule_t;
-+domain_type(semodule_t)
-+role system_r types semodule_t;
-+
-+type semodule_exec_t;
-+domain_entry_file(semodule_t, semodule_exec_t)
-+
-+type semodule_store_t;
-+files_type(semodule_store_t)
-+
-+type semodule_read_lock_t;
-+files_type(semodule_read_lock_t)
-+
-+type semodule_trans_lock_t;
-+files_type(semodule_trans_lock_t)
-+
-+########################################
-+#
- # Checkpolicy local policy
- #
-
-@@ -183,6 +204,7 @@
++++ serefpolicy-2.2.21/policy/modules/system/mount.te 2006-02-23 10:11:48.000000000 -0500
+@@ -46,7 +46,7 @@
+ fs_unmount_all_fs(mount_t)
+ fs_remount_all_fs(mount_t)
+ fs_relabelfrom_all_fs(mount_t)
+-fs_search_auto_mountpoints(mount_t)
++fs_list_auto_mountpoints(mount_t)
+ fs_rw_tmpfs_chr_files(mount_t)
+ fs_read_tmpfs_symlinks(mount_t)
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.2.21/policy/modules/system/selinuxutil.te
+--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2006-02-23 09:25:09.000000000 -0500
++++ serefpolicy-2.2.21/policy/modules/system/selinuxutil.te 2006-02-23 09:41:46.000000000 -0500
+@@ -199,6 +199,7 @@
libs_use_ld_so(load_policy_t)
libs_use_shared_libs(load_policy_t)
@@ -532,7 +226,7 @@
miscfiles_read_localization(load_policy_t)
userdom_use_all_users_fds(load_policy_t)
-@@ -303,10 +325,6 @@
+@@ -319,10 +320,6 @@
nscd_socket_use(newrole_t)
')
@@ -543,128 +237,3 @@
########################################
#
# Restorecon local policy
-@@ -525,12 +543,53 @@
-
- miscfiles_read_localization(setfiles_t)
-
-+seutil_module_get_trans_lock(setfiles_t)
-+seutil_module_get_read_lock(setfiles_t)
-+
- userdom_use_all_users_fds(setfiles_t)
- # for config files in a home directory
- userdom_read_all_users_home_content_files(setfiles_t)
-
--ifdef(`TODO',`
--# for upgrading glibc and other shared objects - without this the upgrade
--# scripts will put things in a state such that setfiles can not be run!
--allow setfiles_t lib_t:file { read execute };
--') dnl endif TODO
-+########################################
-+#
-+# semodule local policy
-+#
-+term_use_all_terms(semodule_t)
-+allow semodule_t policy_config_t:file { read write };
-+allow semodule_t self:unix_stream_socket create_stream_socket_perms;
-+
-+corecmd_exec_bin(semodule_t)
-+corecmd_exec_sbin(semodule_t)
-+
-+files_read_etc_files(semodule_t)
-+files_search_etc(semodule_t)
-+files_list_usr(semodule_t)
-+files_list_pids(semodule_t)
-+files_read_usr_files(semodule_t)
-+
-+kernel_read_system_state(semodule_t)
-+kernel_read_kernel_sysctls(semodule_t)
-+
-+libs_use_ld_so(semodule_t)
-+libs_use_shared_libs(semodule_t)
-+libs_use_lib_files(semodule_t)
-+
-+mls_file_write_down(semodule_t)
-+mls_rangetrans_target(semodule_t)
-+
-+seutil_search_default_contexts(semodule_t)
-+seutil_rw_file_contexts(semodule_t)
-+seutil_domtrans_setfiles(semodule_t)
-+seutil_domtrans_loadpolicy(semodule_t)
-+seutil_read_config(semodule_t)
-+seutil_manage_bin_policy(semodule_t)
-+seutil_use_newrole_fds(semodule_t)
-+
-+seutil_manage_module_store_files(semodule_t)
-+seutil_module_get_trans_lock(semodule_t)
-+seutil_module_get_read_lock(semodule_t)
-+
-+optional_policy(`selinux', `
-+ selinux_get_enforce_mode(semodule_t)
-+')
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.2.20/policy/modules/system/userdomain.if
---- nsaserefpolicy/policy/modules/system/userdomain.if 2006-02-21 14:40:25.000000000 -0500
-+++ serefpolicy-2.2.20/policy/modules/system/userdomain.if 2006-02-22 14:22:49.000000000 -0500
-@@ -145,6 +145,7 @@
- allow $1_t unpriv_userdomain:fd use;
-
- kernel_read_kernel_sysctls($1_t)
-+ kernel_read_net_sysctls($1_t)
- kernel_dontaudit_list_unlabeled($1_t)
- kernel_dontaudit_getattr_unlabeled_files($1_t)
- kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
-@@ -414,6 +415,8 @@
- optional_policy(`rpm',`
- files_getattr_var_lib_dirs($1_t)
- files_search_var_lib($1_t)
-+ rpm_read_db($1_t)
-+ rpm_dontaudit_manage_db($1_t)
- ')
-
- optional_policy(`samba',`
-@@ -4425,3 +4428,24 @@
- allow $1 user_home_dir_t:dir create_dir_perms;
- files_home_filetrans($1,user_home_dir_t)
- ')
-+
-+
-+########################################
-+## <summary>
-+## mounton generic user home directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`userdom_mounton_generic_user_home_dir',`
-+ gen_require(`
-+ attribute user_home_dir_type, user_home_type;
-+ ')
-+
-+ allow $1 user_home_dir_type:dir mounton;
-+ allow $1 user_home_type:dir mounton;
-+')
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.20/policy/modules/system/userdomain.te
---- nsaserefpolicy/policy/modules/system/userdomain.te 2006-02-21 14:40:25.000000000 -0500
-+++ serefpolicy-2.2.20/policy/modules/system/userdomain.te 2006-02-22 14:22:49.000000000 -0500
-@@ -75,7 +75,7 @@
- files_associate_tmp(user_home_t)
- fs_associate_tmpfs(user_home_t)
-
-- type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t }, home_dir_type, home_type;
-+ type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t }, user_home_dir_type, home_dir_type, home_type;
- files_type(user_home_dir_t)
- files_associate_tmp(user_home_dir_t)
- fs_associate_tmpfs(user_home_dir_t)
-@@ -364,6 +364,8 @@
- seutil_run_checkpolicy(secadm_t,secadm_r,admin_terminal)
- seutil_run_loadpolicy(secadm_t,secadm_r,admin_terminal)
- seutil_run_setfiles(secadm_t,secadm_r,admin_terminal)
-+ semodule_domtrans(secadm_t)
-+ role secadm_r types semodule_t;
- seutil_run_restorecon(secadm_t,secadm_r,admin_terminal)
- ', `
- selinux_set_enforce_mode(sysadm_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.121
retrieving revision 1.122
diff -u -r1.121 -r1.122
--- selinux-policy.spec 22 Feb 2006 22:46:02 -0000 1.121
+++ selinux-policy.spec 23 Feb 2006 15:12:37 -0000 1.122
@@ -8,7 +8,7 @@
%define CHECKPOLICYVER 1.29.4-1
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 2.2.20
+Version: 2.2.21
Release: 1
License: GPL
Group: System Environment/Base
@@ -296,6 +296,9 @@
%changelog
+* Thu Feb 22 2006 Dan Walsh <dwalsh at redhat.com> 2.2.21-1
+- Update to upstream
+
* Wed Feb 22 2006 Dan Walsh <dwalsh at redhat.com> 2.2.20-1
- Fix load_policy to work on MLS
- Fix cron_rw_system_pipes for postfix_postdrop_t
Index: sources
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/sources,v
retrieving revision 1.48
retrieving revision 1.49
diff -u -r1.48 -r1.49
--- sources 22 Feb 2006 22:46:02 -0000 1.48
+++ sources 23 Feb 2006 15:12:37 -0000 1.49
@@ -1 +1 @@
-16bf45c49cbe78b2c977cffc88884de2 serefpolicy-2.2.20.tgz
+fe84e844d9a838bd87d4e80f381141cb serefpolicy-2.2.21.tgz
- Previous message (by thread): rpms/glibc/FC-4 glibc-i386-futex-timed-wait.patch, NONE, 1.1 glibc-20050815-20051104.patch, 1.2, 1.3 glibc-aio-rh171968.patch, 1.1, 1.2 glibc-rh168266.patch, 1.1, 1.2 glibc.spec, 1.164, 1.165
- Next message (by thread): rpms/gnome-applets/devel gnome-applets-2.13.4-stock-ticker.patch, NONE, 1.1 gnome-applets.spec, 1.114, 1.115
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list