rpms/selinux-policy/F-7 policy-20070501.patch, 1.42, 1.43 selinux-policy.spec, 1.482, 1.483

Daniel J Walsh (dwalsh) fedora-extras-commits at redhat.com
Fri Aug 3 18:26:53 UTC 2007 

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv18279

Modified Files:
	policy-20070501.patch selinux-policy.spec 
Log Message:
* Fri Aug 3 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-32
- Allow ping to bind to rawip_socket


policy-20070501.patch:

Index: policy-20070501.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/policy-20070501.patch,v
retrieving revision 1.42
retrieving revision 1.43
diff -u -r1.42 -r1.43
--- policy-20070501.patch	1 Aug 2007 20:41:28 -0000	1.42
+++ policy-20070501.patch	3 Aug 2007 18:26:51 -0000	1.43
@@ -574,7 +574,7 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-2.6.4/policy/modules/admin/netutils.te
 --- nsaserefpolicy/policy/modules/admin/netutils.te	2007-05-07 14:51:05.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/admin/netutils.te	2007-07-31 16:39:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/admin/netutils.te	2007-08-03 08:45:43.000000000 -0400
 @@ -31,6 +31,7 @@
  type traceroute_t;
  type traceroute_exec_t;
@@ -583,6 +583,14 @@
  role system_r types traceroute_t;
  
  ########################################
+@@ -118,6 +119,7 @@
+ corenet_tcp_sendrecv_all_if(ping_t)
+ corenet_raw_sendrecv_all_if(ping_t)
+ corenet_raw_sendrecv_all_nodes(ping_t)
++corenet_raw_bind_all_nodes(ping_t)
+ corenet_tcp_sendrecv_all_nodes(ping_t)
+ corenet_tcp_sendrecv_all_ports(ping_t)
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-2.6.4/policy/modules/admin/prelink.te
 --- nsaserefpolicy/policy/modules/admin/prelink.te	2007-05-07 14:51:04.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/admin/prelink.te	2007-07-31 16:39:53.000000000 -0400
@@ -676,7 +684,7 @@
  /var/lib/alternatives(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-2.6.4/policy/modules/admin/rpm.if
 --- nsaserefpolicy/policy/modules/admin/rpm.if	2007-05-07 14:51:05.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/admin/rpm.if	2007-07-31 16:39:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/admin/rpm.if	2007-08-02 15:13:10.000000000 -0400
 @@ -211,6 +211,24 @@
  
  ########################################
@@ -733,7 +741,7 @@
  ')
  
  ########################################
-@@ -290,3 +329,85 @@
+@@ -290,3 +329,103 @@
  	dontaudit $1 rpm_var_lib_t:file manage_file_perms;
  	dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
  ')
@@ -783,6 +791,24 @@
 +
 +########################################
 +## <summary>
++##	allow domain to read, RPM tmp files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`rpm_read_tmp_files',`
++	gen_require(`
++		type rpm_tmp_t;
++	')
++
++	allow $1 rpm_tmp_t:file r_file_perms;
++')
++
++########################################
++## <summary>
 +##	Do not audit attempts to read, 
 +##	write RPM tmp files
 +## </summary>
@@ -8786,8 +8812,8 @@
 \ No newline at end of file
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fusermount.te serefpolicy-2.6.4/policy/modules/system/fusermount.te
 --- nsaserefpolicy/policy/modules/system/fusermount.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.6.4/policy/modules/system/fusermount.te	2007-07-31 16:39:53.000000000 -0400
-@@ -0,0 +1,51 @@
++++ serefpolicy-2.6.4/policy/modules/system/fusermount.te	2007-08-03 14:21:48.000000000 -0400
+@@ -0,0 +1,47 @@
 +policy_module(fusermount,1.0.0)
 +
 +########################################
@@ -8830,10 +8856,6 @@
 +	hal_rw_pipes(fusermount_t)
 +')
 +
-+optional_policy(`
-+	mount_ntfs_rw_stream_sockets(fusermount_t)
-+')
-+
 +ifdef(`targeted_policy',`
 +	term_use_generic_ptys(fusermount_t)
 +	term_use_console(fusermount_t)
@@ -9203,7 +9225,7 @@
  # vmware 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-2.6.4/policy/modules/system/libraries.te
 --- nsaserefpolicy/policy/modules/system/libraries.te	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/libraries.te	2007-07-31 16:39:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/libraries.te	2007-08-02 15:13:32.000000000 -0400
 @@ -62,7 +62,8 @@
  
  manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
@@ -9743,53 +9765,9 @@
  /bin/umount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
 -
 -/usr/bin/fusermount		--	gen_context(system_u:object_r:mount_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-2.6.4/policy/modules/system/mount.if
---- nsaserefpolicy/policy/modules/system/mount.if	2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/mount.if	2007-07-31 16:39:53.000000000 -0400
-@@ -143,3 +143,40 @@
- 		mount_domtrans($1)
- 	')
- ')
-+
-+########################################
-+## <summary>
-+##	Execute a domain transition to run mount_ntfs.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+##	Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`mount_ntfs_domtrans',`
-+	gen_require(`
-+		type mount_ntfs_t, mount_ntfs_exec_t;
-+	')
-+
-+	domtrans_pattern($1,mount_ntfs_exec_t,mount_ntfs_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Allow the specified domain to read/write to
-+##	init scripts with a unix domain stream sockets.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`mount_ntfs_rw_stream_sockets',`
-+	gen_require(`
-+		type mount_ntfs_t;
-+	')
-+
-+	allow $1 mount_ntfs_t:unix_stream_socket { read write };
-+')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.6.4/policy/modules/system/mount.te
 --- nsaserefpolicy/policy/modules/system/mount.te	2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/mount.te	2007-08-01 16:40:38.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/mount.te	2007-08-03 14:22:02.000000000 -0400
 @@ -9,6 +9,13 @@
  ifdef(`targeted_policy',`
  ## <desc>
@@ -9917,7 +9895,7 @@
 +fusermount_domtrans(mount_t)
 +fusermount_use_fds(mount_t)
 +
-+# modutils_domtrans_insmod(mount_t)
++modutils_exec_insmod(mount_t)
 +
 +optional_policy(`
 +	hal_write_log(mount_t)


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/selinux-policy.spec,v
retrieving revision 1.482
retrieving revision 1.483
diff -u -r1.482 -r1.483
--- selinux-policy.spec	1 Aug 2007 20:41:28 -0000	1.482
+++ selinux-policy.spec	3 Aug 2007 18:26:51 -0000	1.483
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 2.6.4
-Release: 31%{?dist}
+Release: 32%{?dist}
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -361,6 +361,9 @@
 %endif
 
 %changelog
+* Fri Aug 3 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-32
+- Allow ping to bind to rawip_socket
+
 * Wed Aug 1 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-31
 - Fix specification of nagios cgi scripts

More information about the fedora-extras-commits mailing list