rpms/selinux-policy/F-7 policy-20070501.patch, 1.46, 1.47 selinux-policy.spec, 1.486, 1.487
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Mon Aug 13 11:38:13 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv28033
Modified Files:
policy-20070501.patch selinux-policy.spec
Log Message:
* Mon Aug 13 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-36
- Allow NetworkManager to chown
policy-20070501.patch:
Index: policy-20070501.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/policy-20070501.patch,v
retrieving revision 1.46
retrieving revision 1.47
diff -u -r1.46 -r1.47
--- policy-20070501.patch 11 Aug 2007 11:06:35 -0000 1.46
+++ policy-20070501.patch 13 Aug 2007 11:38:10 -0000 1.47
@@ -4631,7 +4631,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-2.6.4/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/dovecot.te 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/dovecot.te 2007-08-13 07:17:55.000000000 -0400
@@ -15,6 +15,12 @@
domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
role system_r types dovecot_auth_t;
@@ -4726,7 +4726,7 @@
files_read_usr_symlinks(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)
files_read_var_lib_files(dovecot_t)
-@@ -190,12 +195,46 @@
+@@ -190,12 +195,54 @@
seutil_dontaudit_search_config(dovecot_auth_t)
@@ -4747,6 +4747,14 @@
+ postfix_search_spool(dovecot_auth_t)
+')
+
++# for gssapi (kerberos)
++userdom_list_unpriv_users_tmp(dovecot_auth_t)
++userdom_read_unpriv_users_tmp_files(dovecot_auth_t)
++userdom_read_unpriv_users_tmp_symlinks(dovecot_auth_t)
++
++ifdef(`targeted_policy',`
++ files_manage_generic_tmp_files(dovecot_auth_t)
++')
+
+########################################
+#
@@ -5649,7 +5657,16 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-2.6.4/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/networkmanager.te 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/networkmanager.te 2007-08-13 06:58:07.000000000 -0400
+@@ -20,7 +20,7 @@
+
+ # networkmanager will ptrace itself if gdb is installed
+ # and it receives a unexpected signal (rh bug #204161)
+-allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
++allow NetworkManager_t self:capability { chown kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
+ dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
+ allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms };
+ allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
@@ -41,6 +41,8 @@
kernel_read_kernel_sysctls(NetworkManager_t)
kernel_load_module(NetworkManager_t)
@@ -9347,8 +9364,16 @@
# vmware
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-2.6.4/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/libraries.te 2007-08-11 07:02:45.000000000 -0400
-@@ -62,7 +62,8 @@
++++ serefpolicy-2.6.4/policy/modules/system/libraries.te 2007-08-13 07:21:34.000000000 -0400
+@@ -55,14 +55,15 @@
+ # ldconfig local policy
+ #
+
+-allow ldconfig_t self:capability sys_chroot;
++allow ldconfig_t self:capability { dac_override sys_chroot };
+
+ allow ldconfig_t ld_so_cache_t:file manage_file_perms;
+ files_etc_filetrans(ldconfig_t,ld_so_cache_t,file)
manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
manage_files_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
@@ -9358,7 +9383,15 @@
manage_lnk_files_pattern(ldconfig_t,lib_t,lib_t)
-@@ -99,8 +100,9 @@
+@@ -72,6 +73,7 @@
+
+ domain_use_interactive_fds(ldconfig_t)
+
++files_search_home(ldconfig_t)
+ files_search_var_lib(ldconfig_t)
+ files_read_etc_files(ldconfig_t)
+ files_search_tmp(ldconfig_t)
+@@ -99,8 +101,9 @@
ifdef(`targeted_policy',`
allow ldconfig_t lib_t:file read_file_perms;
files_read_generic_tmp_symlinks(ldconfig_t)
@@ -9370,7 +9403,7 @@
')
optional_policy(`
-@@ -113,4 +115,6 @@
+@@ -113,4 +116,6 @@
# and executes ldconfig on it. If you dont allow this kernel installs
# blow up.
rpm_manage_script_tmp_files(ldconfig_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/selinux-policy.spec,v
retrieving revision 1.486
retrieving revision 1.487
diff -u -r1.486 -r1.487
--- selinux-policy.spec 11 Aug 2007 11:06:35 -0000 1.486
+++ selinux-policy.spec 13 Aug 2007 11:38:10 -0000 1.487
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.6.4
-Release: 35%{?dist}
+Release: 36%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -361,6 +361,9 @@
%endif
%changelog
+* Mon Aug 13 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-36
+- Allow NetworkManager to chown
+
* Sat Aug 11 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-35
- Allow ldconfig to talk to terminal
More information about the fedora-extras-commits
mailing list