rpms/selinux-policy/devel policy-20060104.patch,1.20,1.21
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Jan 25 16:43:59 UTC 2006
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv26255
Modified Files:
policy-20060104.patch
Log Message:
* Mon Jan 24 2006 Dan Walsh <dwalsh at redhat.com> 2.2.4-1
- Many changes for MLS
- Turn on strict policy
policy-20060104.patch:
modules/admin/alsa.te | 1 +
modules/admin/kudzu.te | 1 +
modules/admin/prelink.fc | 1 +
modules/admin/prelink.te | 2 ++
modules/admin/readahead.te | 3 ++-
modules/admin/rpm.te | 1 +
modules/admin/tmpreaper.te | 4 ++++
modules/apps/slocate.te | 5 ++++-
modules/kernel/bootloader.te | 1 +
modules/kernel/files.if | 2 ++
modules/kernel/filesystem.if | 17 +++++++++++++++++
modules/kernel/mls.te | 1 +
modules/services/automount.fc | 4 ++++
modules/services/cups.te | 1 +
modules/services/dbus.fc | 3 ++-
modules/services/procmail.te | 1 +
modules/services/xserver.if | 9 +++++++++
modules/system/authlogin.te | 4 ----
modules/system/fstools.te | 1 +
modules/system/locallogin.te | 12 ++++++++----
modules/system/logging.te | 12 +++++-------
modules/system/lvm.te | 1 +
modules/system/modutils.te | 2 ++
modules/system/mount.te | 1 +
modules/system/unconfined.if | 5 +++++
modules/system/userdomain.if | 3 ++-
modules/system/userdomain.te | 6 ++++++
users | 9 +++------
28 files changed, 88 insertions(+), 25 deletions(-)
Index: policy-20060104.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060104.patch,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -r1.20 -r1.21
--- policy-20060104.patch 24 Jan 2006 21:47:16 -0000 1.20
+++ policy-20060104.patch 25 Jan 2006 16:43:56 -0000 1.21
@@ -49,16 +49,17 @@
fs_getattr_xattr_fs(prelink_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-2.2.5/policy/modules/admin/readahead.te
--- nsaserefpolicy/policy/modules/admin/readahead.te 2006-01-17 17:08:52.000000000 -0500
-+++ serefpolicy-2.2.5/policy/modules/admin/readahead.te 2006-01-24 13:55:57.000000000 -0500
-@@ -28,6 +28,7 @@
++++ serefpolicy-2.2.5/policy/modules/admin/readahead.te 2006-01-24 16:51:20.000000000 -0500
+@@ -27,7 +27,7 @@
+
kernel_read_kernel_sysctl(readahead_t)
kernel_read_system_state(readahead_t)
- kernel_getattr_core(readahead_t)
-+kernel_getattr_core(readahead_t)
+-kernel_getattr_core(readahead_t)
++kernel_dontaudit_getattr_core(readahead_t)
dev_read_sysfs(readahead_t)
dev_getattr_generic_chr_file(readahead_t)
-@@ -48,6 +49,7 @@
+@@ -48,6 +48,7 @@
fs_getattr_all_pipes(readahead_t)
fs_getattr_all_files(readahead_t)
fs_search_ramfs(readahead_t)
@@ -66,6 +67,17 @@
term_dontaudit_use_console(readahead_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-2.2.5/policy/modules/admin/rpm.te
+--- nsaserefpolicy/policy/modules/admin/rpm.te 2006-01-17 17:08:52.000000000 -0500
++++ serefpolicy-2.2.5/policy/modules/admin/rpm.te 2006-01-25 09:27:53.000000000 -0500
+@@ -288,6 +288,7 @@
+
+ term_getattr_unallocated_ttys(rpm_script_t)
+ term_list_ptys(rpm_script_t)
++term_use_all_terms(rpm_script_t)
+
+ auth_dontaudit_getattr_shadow(rpm_script_t)
+ # ideally we would not need this
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-2.2.5/policy/modules/admin/tmpreaper.te
--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2006-01-17 17:08:52.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/admin/tmpreaper.te 2006-01-24 12:53:38.000000000 -0500
@@ -155,6 +167,16 @@
## Read and write character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.2.5/policy/modules/kernel/mls.te
+--- nsaserefpolicy/policy/modules/kernel/mls.te 2006-01-17 17:08:52.000000000 -0500
++++ serefpolicy-2.2.5/policy/modules/kernel/mls.te 2006-01-25 09:51:52.000000000 -0500
+@@ -88,5 +88,6 @@
+ ifdef(`enable_mls',`
+ # run init with maximum MLS range
+ range_transition kernel_t init_exec_t s0 - s15:c0.c255;
++range_transition kernel_t lvm_exec_t s0 - s15:c0.c255;
+ range_transition initrc_t auditd_exec_t s15:c0.c255;
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.fc serefpolicy-2.2.5/policy/modules/services/automount.fc
--- nsaserefpolicy/policy/modules/services/automount.fc 2005-12-09 16:09:22.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/services/automount.fc 2006-01-24 11:56:59.000000000 -0500
@@ -354,6 +376,23 @@
term_use_all_terms(mount_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.2.5/policy/modules/system/unconfined.if
+--- nsaserefpolicy/policy/modules/system/unconfined.if 2006-01-20 10:02:33.000000000 -0500
++++ serefpolicy-2.2.5/policy/modules/system/unconfined.if 2006-01-25 10:24:04.000000000 -0500
+@@ -54,8 +54,13 @@
+ tunable_policy(`allow_execmem && allow_execstack',`
+ # Allow making the stack executable via mprotect.
+ allow $1 self:process execstack;
++ ', `
++ # These are fairly common but seem to be harmless
++ # caused by using shared libraries built with old tool chains
++ dontaudit $1 self:process execstack;
+ ')
+
++
+ optional_policy(`authlogin',`
+ auth_unconfined($1)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.2.5/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2006-01-23 08:26:51.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/system/userdomain.if 2006-01-24 13:20:21.000000000 -0500
More information about the fedora-cvs-commits
mailing list