rpms/selinux-policy/devel policy-20070703.patch, 1.30, 1.31 selinux-policy.spec, 1.493, 1.494
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Fri Aug 10 16:10:30 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv16404
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Fri Aug 10 2007 Dan Walsh <dwalsh at redhat.com> 3.0.5-4
- Fix dbus chat to not happen for xguest and guest users
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20070703.patch,v
retrieving revision 1.30
retrieving revision 1.31
diff -u -r1.30 -r1.31
--- policy-20070703.patch 9 Aug 2007 19:18:57 -0000 1.30
+++ policy-20070703.patch 10 Aug 2007 16:10:27 -0000 1.31
@@ -594,7 +594,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.0.5/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2007-07-25 10:37:43.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/admin/logwatch.te 2007-08-07 10:18:57.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/admin/logwatch.te 2007-08-10 11:56:22.000000000 -0400
@@ -29,7 +29,6 @@
allow logwatch_t self:process signal;
allow logwatch_t self:fifo_file rw_file_perms;
@@ -608,7 +608,7 @@
dev_read_urand(logwatch_t)
-dev_search_sysfs(logwatch_t)
-+dev_list_sysfs(logwatch_t)
++dev_read_sysfs(logwatch_t)
# Read /proc/PID directories for all domains.
domain_read_all_domains_state(logwatch_t)
@@ -4119,17 +4119,6 @@
corenet_sendrecv_rndc_client_packets(ndc_t)
fs_getattr_xattr_fs(ndc_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.0.5/policy/modules/services/bluetooth.te
---- nsaserefpolicy/policy/modules/services/bluetooth.te 2007-08-02 08:17:27.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/bluetooth.te 2007-08-07 09:39:49.000000000 -0400
-@@ -128,6 +128,7 @@
- dbus_system_bus_client_template(bluetooth,bluetooth_t)
- dbus_connect_system_bus(bluetooth_t)
- dbus_send_system_bus(bluetooth_t)
-+ userdom_dbus_chat_all_users(bluetooth_t)
- ')
-
- optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.0.5/policy/modules/services/clamav.fc
--- nsaserefpolicy/policy/modules/services/clamav.fc 2007-05-29 14:10:57.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/services/clamav.fc 2007-08-07 09:39:49.000000000 -0400
@@ -4192,7 +4181,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.0.5/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/consolekit.te 2007-08-07 09:39:49.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/services/consolekit.te 2007-08-10 11:40:51.000000000 -0400
@@ -10,7 +10,6 @@
type consolekit_exec_t;
init_daemon_domain(consolekit_t, consolekit_exec_t)
@@ -4233,12 +4222,11 @@
optional_policy(`
dbus_system_bus_client_template(consolekit, consolekit_t)
dbus_send_system_bus(consolekit_t)
-@@ -62,9 +68,17 @@
+@@ -62,9 +68,16 @@
optional_policy(`
unconfined_dbus_chat(consolekit_t)
')
+
-+ userdom_dbus_chat_all_users(consolekit_t)
')
optional_policy(`
@@ -4671,7 +4659,7 @@
+/usr/local/Brother/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.0.5/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/cups.te 2007-08-07 09:39:49.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/services/cups.te 2007-08-10 11:32:15.000000000 -0400
@@ -81,12 +81,11 @@
# /usr/lib/cups/backend/serial needs sys_admin(?!)
allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config };
@@ -4784,18 +4772,7 @@
cron_system_entry(cupsd_t, cupsd_exec_t)
')
-@@ -250,6 +278,10 @@
- optional_policy(`
- hal_dbus_chat(cupsd_t)
- ')
-+
-+ optional_policy(`
-+ userdom_dbus_chat_all_users(cupsd_t)
-+ ')
- ')
-
- optional_policy(`
-@@ -265,16 +297,16 @@
+@@ -265,16 +293,16 @@
')
optional_policy(`
@@ -4816,7 +4793,7 @@
seutil_sigchld_newrole(cupsd_t)
')
-@@ -379,6 +411,14 @@
+@@ -379,6 +407,14 @@
')
optional_policy(`
@@ -4831,7 +4808,7 @@
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
-@@ -562,7 +602,7 @@
+@@ -562,7 +598,7 @@
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
@@ -4840,7 +4817,7 @@
fs_getattr_all_fs(hplip_t)
fs_search_auto_mountpoints(hplip_t)
-@@ -589,8 +629,6 @@
+@@ -589,8 +625,6 @@
userdom_dontaudit_search_sysadm_home_dirs(hplip_t)
userdom_dontaudit_search_all_users_home_content(hplip_t)
@@ -5431,7 +5408,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.0.5/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/hal.te 2007-08-09 14:46:39.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/services/hal.te 2007-08-10 11:34:53.000000000 -0400
@@ -22,6 +22,12 @@
type hald_log_t;
files_type(hald_log_t)
@@ -5495,18 +5472,15 @@
alsa_read_rw_config(hald_t)
')
-@@ -228,6 +242,10 @@
+@@ -228,6 +242,7 @@
optional_policy(`
networkmanager_dbus_chat(hald_t)
')
+
-+ optional_policy(`
-+ userdom_dbus_chat_all_users(hald_t)
-+ ')
')
optional_policy(`
-@@ -283,6 +301,7 @@
+@@ -283,6 +298,7 @@
#
allow hald_acl_t self:capability { dac_override fowner };
@@ -5514,7 +5488,7 @@
allow hald_acl_t self:fifo_file read_fifo_file_perms;
domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
-@@ -296,7 +315,10 @@
+@@ -296,7 +312,10 @@
corecmd_exec_bin(hald_acl_t)
dev_getattr_all_chr_files(hald_acl_t)
@@ -5525,7 +5499,7 @@
dev_setattr_sound_dev(hald_acl_t)
dev_setattr_generic_usb_dev(hald_acl_t)
dev_setattr_usbfs_files(hald_acl_t)
-@@ -358,3 +380,25 @@
+@@ -358,3 +377,25 @@
libs_use_shared_libs(hald_sonypic_t)
miscfiles_read_localization(hald_sonypic_t)
@@ -5987,7 +5961,7 @@
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.0.5/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/networkmanager.te 2007-08-07 09:39:49.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/services/networkmanager.te 2007-08-10 11:35:13.000000000 -0400
@@ -41,6 +41,8 @@
kernel_read_kernel_sysctls(NetworkManager_t)
kernel_load_module(NetworkManager_t)
@@ -5997,15 +5971,7 @@
corenet_all_recvfrom_unlabeled(NetworkManager_t)
corenet_all_recvfrom_netlabel(NetworkManager_t)
corenet_tcp_sendrecv_all_if(NetworkManager_t)
-@@ -136,6 +138,7 @@
- dbus_system_bus_client_template(NetworkManager,NetworkManager_t)
- dbus_connect_system_bus(NetworkManager_t)
- dbus_send_system_bus(NetworkManager_t)
-+ userdom_dbus_chat_all_users(NetworkManager_t)
- ')
-
- optional_policy(`
-@@ -152,6 +155,11 @@
+@@ -152,6 +154,11 @@
')
optional_policy(`
@@ -6017,7 +5983,7 @@
ppp_domtrans(NetworkManager_t)
ppp_read_pid_files(NetworkManager_t)
ppp_signal(NetworkManager_t)
-@@ -166,6 +174,7 @@
+@@ -166,6 +173,7 @@
')
optional_policy(`
@@ -11153,7 +11119,7 @@
+corecmd_exec_all_executables(unconfined_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.5/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-07-03 07:06:32.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/system/userdomain.if 2007-08-07 10:28:24.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/system/userdomain.if 2007-08-10 11:57:57.000000000 -0400
@@ -62,6 +62,10 @@
allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
@@ -11451,7 +11417,7 @@
optional_policy(`
alsa_read_rw_config($1_t)
')
-@@ -829,34 +777,14 @@
+@@ -829,11 +777,6 @@
')
optional_policy(`
@@ -11463,56 +11429,59 @@
allow $1_t self:dbus send_msg;
dbus_system_bus_client_template($1,$1_t)
+@@ -842,21 +785,18 @@
+ ')
+
optional_policy(`
-- bluetooth_dbus_chat($1_t)
-- ')
--
-- optional_policy(`
- evolution_dbus_chat($1,$1_t)
- evolution_alarm_dbus_chat($1,$1_t)
+- evolution_dbus_chat($1,$1_t)
+- evolution_alarm_dbus_chat($1,$1_t)
++ consolekit_dbus_chat($1_t)
')
-- optional_policy(`
+ optional_policy(`
- cups_dbus_chat_config($1_t)
-- ')
--
-- optional_policy(`
++ networkmanager_dbus_chat($1_t)
+ ')
+
+ optional_policy(`
- hal_dbus_chat($1_t)
-- ')
--
++ evolution_dbus_chat($1,$1_t)
++ evolution_alarm_dbus_chat($1,$1_t)
+ ')
+
- optional_policy(`
- networkmanager_dbus_chat($1_t)
- ')
')
optional_policy(`
-@@ -884,17 +812,19 @@
+@@ -884,17 +824,17 @@
')
optional_policy(`
- nis_use_ypbind($1_t)
-- ')
--
-- optional_policy(`
- tunable_policy(`allow_user_mysql_connect',`
- mysql_stream_connect($1_t)
- ')
++ alsa_read_rw_config($1_t)
')
- optional_policy(`
-- nscd_socket_use($1_t)
+- tunable_policy(`allow_user_mysql_connect',`
+- mysql_stream_connect($1_t)
+- ')
+- ')
+ optional_policy(`
+ tunable_policy(`allow_user_postgresql_connect',`
+ postgresql_stream_connect($1_t)
+ ')
+ ')
-+
+
+- optional_policy(`
+- nscd_socket_use($1_t)
+ tunable_policy(`user_ttyfile_stat',`
+ term_getattr_all_user_ttys($1_t)
')
optional_policy(`
-@@ -908,16 +838,6 @@
+@@ -908,16 +848,6 @@
')
optional_policy(`
@@ -11529,7 +11498,7 @@
resmgr_stream_connect($1_t)
')
-@@ -927,11 +847,6 @@
+@@ -927,11 +857,6 @@
')
optional_policy(`
@@ -11541,7 +11510,7 @@
samba_stream_connect_winbind($1_t)
')
-@@ -962,21 +877,162 @@
+@@ -962,21 +887,162 @@
## </summary>
## </param>
#
@@ -11710,7 +11679,7 @@
domain_interactive_fd($1_t)
typeattribute $1_devpts_t user_ptynode;
-@@ -985,15 +1041,53 @@
+@@ -985,15 +1051,53 @@
typeattribute $1_tmp_t user_tmpfile;
typeattribute $1_tty_device_t user_ttynode;
@@ -11768,10 +11737,15 @@
# port access is audited even if dac would not have allowed it, so dontaudit it here
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
-@@ -1029,15 +1123,7 @@
- # and may change other protocols
- tunable_policy(`user_tcp_server',`
- corenet_tcp_bind_all_nodes($1_t)
+@@ -1024,20 +1128,12 @@
+ kernel_dontaudit_read_ring_buffer($1_t)
+ ')
+
+- # Allow users to run TCP servers (bind to ports and accept connection from
+- # the same domain and outside users) disabling this forces FTP passive mode
+- # and may change other protocols
+- tunable_policy(`user_tcp_server',`
+- corenet_tcp_bind_all_nodes($1_t)
- corenet_tcp_bind_generic_port($1_t)
- ')
-
@@ -11781,11 +11755,16 @@
-
- optional_policy(`
- loadkeys_run($1_t,$1_r,$1_tty_device_t)
++ # Allow users to run TCP servers (bind to ports and accept connection from
++ # the same domain and outside users) disabling this forces FTP passive mode
++ # and may change other protocols
++ tunable_policy(`user_tcp_server',`
++ corenet_tcp_bind_all_nodes($1_t)
+ corenet_tcp_bind_all_unreserved_ports($1_t)
')
optional_policy(`
-@@ -1054,17 +1140,6 @@
+@@ -1054,17 +1150,6 @@
setroubleshoot_stream_connect($1_t)
')
@@ -11803,7 +11782,7 @@
')
#######################################
-@@ -1102,6 +1177,8 @@
+@@ -1102,6 +1187,8 @@
class passwd { passwd chfn chsh rootok crontab };
')
@@ -11812,7 +11791,7 @@
##############################
#
# Declarations
-@@ -1127,7 +1204,7 @@
+@@ -1127,7 +1214,7 @@
# $1_t local policy
#
@@ -11821,7 +11800,7 @@
allow $1_t self:process { setexec setfscreate };
# Set password information for other users.
-@@ -1139,7 +1216,11 @@
+@@ -1139,7 +1226,11 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -11834,7 +11813,7 @@
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1902,6 +1983,41 @@
+@@ -1902,6 +1993,41 @@
########################################
## <summary>
@@ -11876,7 +11855,7 @@
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -3078,7 +3194,7 @@
+@@ -3078,7 +3204,7 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -11885,7 +11864,7 @@
')
files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -5323,7 +5439,7 @@
+@@ -5323,7 +5449,7 @@
attribute user_tmpfile;
')
@@ -11894,34 +11873,7 @@
')
########################################
-@@ -5548,6 +5664,26 @@
-
- ########################################
- ## <summary>
-+## Send a dbus message to all user domains.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`userdom_dbus_chat_all_users',`
-+ gen_require(`
-+ attribute userdomain;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 userdomain:dbus send_msg;
-+ allow userdomain $1:dbus send_msg;
-+')
-+
-+########################################
-+## <summary>
- ## Unconfined access to user domains. (Deprecated)
- ## </summary>
- ## <param name="domain">
-@@ -5559,3 +5695,275 @@
+@@ -5559,3 +5685,280 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -12113,6 +12065,11 @@
+ dbus_per_role_template($1, $1_t, $1_r)
+ dbus_system_bus_client_template($1, $1_t)
+ allow $1_t self:dbus send_msg;
++
++ optional_policy(`
++ cups_dbus_chat($1_t)
++ ')
++
+')
+
+optional_policy(`
@@ -12396,13 +12353,17 @@
+## <summary>Policy for guest user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.0.5/policy/modules/users/guest.te
--- nsaserefpolicy/policy/modules/users/guest.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.5/policy/modules/users/guest.te 2007-08-07 09:39:49.000000000 -0400
-@@ -0,0 +1,5 @@
++++ serefpolicy-3.0.5/policy/modules/users/guest.te 2007-08-10 11:34:33.000000000 -0400
+@@ -0,0 +1,9 @@
+policy_module(guest,1.0.0)
+userdom_unpriv_login_user(guest)
+userdom_unpriv_login_user(gadmin)
+userdom_unpriv_xwindows_login_user(xguest)
+mozilla_per_role_template(xguest, xguest_t, xguest_r)
++# Allow mounting of file systems
++optional_policy(`
++ hal_dbus_chat(xguest_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.0.5/policy/modules/users/logadm.fc
--- nsaserefpolicy/policy/modules/users/logadm.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.5/policy/modules/users/logadm.fc 2007-08-07 09:39:49.000000000 -0400
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.493
retrieving revision 1.494
diff -u -r1.493 -r1.494
--- selinux-policy.spec 9 Aug 2007 19:18:57 -0000 1.493
+++ selinux-policy.spec 10 Aug 2007 16:10:27 -0000 1.494
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.5
-Release: 3%{?dist}
+Release: 4%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -360,6 +360,9 @@
%endif
%changelog
+* Fri Aug 10 2007 Dan Walsh <dwalsh at redhat.com> 3.0.5-4
+- Fix dbus chat to not happen for xguest and guest users
+
* Mon Aug 6 2007 Dan Walsh <dwalsh at redhat.com> 3.0.5-3
- Fix nagios cgi
- allow squid to communicate with winbind
More information about the fedora-extras-commits
mailing list