rpms/selinux-policy/F-7 policy-20070501.patch, 1.78, 1.79 selinux-policy.spec, 1.508, 1.509
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Mon Dec 3 02:58:13 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv29326
Modified Files:
policy-20070501.patch selinux-policy.spec
Log Message:
* Sun Dec 2 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-60
- Allow exim to be an entrypoint for system_mail_t
policy-20070501.patch:
Index: policy-20070501.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/policy-20070501.patch,v
retrieving revision 1.78
retrieving revision 1.79
diff -u -r1.78 -r1.79
--- policy-20070501.patch 26 Nov 2007 16:04:14 -0000 1.78
+++ policy-20070501.patch 3 Dec 2007 02:58:08 -0000 1.79
@@ -4721,7 +4721,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-2.6.4/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/consolekit.te 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/consolekit.te 2007-11-26 22:41:43.000000000 -0500
@@ -10,7 +10,6 @@
type consolekit_exec_t;
init_daemon_domain(consolekit_t, consolekit_exec_t)
@@ -5154,7 +5154,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-2.6.4/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/cups.fc 2007-11-14 10:50:09.000000000 -0500
++++ serefpolicy-2.6.4/policy/modules/services/cups.fc 2007-11-28 08:28:47.000000000 -0500
@@ -8,6 +8,7 @@
/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -5163,16 +5163,18 @@
/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-@@ -17,7 +18,7 @@
+@@ -16,8 +17,9 @@
+ /etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
++/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0)
-/usr/lib(64)?/cups/backend/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/lib(64)?/cups/daemon -d gen_context(system_u:object_r:cupsd_exec_t,s0)
/usr/lib(64)?/cups/daemon/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
/usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
-@@ -52,3 +53,5 @@
+@@ -52,3 +54,5 @@
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
@@ -5180,8 +5182,15 @@
+/usr/local/Printer/[^/]*/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.6.4/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/cups.te 2007-10-05 08:56:23.000000000 -0400
-@@ -93,8 +93,6 @@
++++ serefpolicy-2.6.4/policy/modules/services/cups.te 2007-11-26 13:00:58.000000000 -0500
+@@ -87,14 +87,13 @@
+ allow cupsd_t self:unix_dgram_socket create_socket_perms;
+ allow cupsd_t self:netlink_selinux_socket create_socket_perms;
+ allow cupsd_t self:netlink_route_socket r_netlink_socket_perms;
++allow cupsd_t self:shm create_shm_perms;
+ allow cupsd_t self:tcp_socket create_stream_socket_perms;
+ allow cupsd_t self:udp_socket create_socket_perms;
+ allow cupsd_t self:appletalk_socket create_socket_perms;
# generic socket here until appletalk socket is available in kernels
allow cupsd_t self:socket create_socket_perms;
@@ -5190,7 +5199,7 @@
allow cupsd_t cupsd_etc_t:{ dir file } setattr;
read_files_pattern(cupsd_t,cupsd_etc_t,cupsd_etc_t)
read_lnk_files_pattern(cupsd_t,cupsd_etc_t,cupsd_etc_t)
-@@ -107,7 +105,7 @@
+@@ -107,7 +106,7 @@
# allow cups to execute its backend scripts
can_exec(cupsd_t, cupsd_exec_t)
@@ -5199,7 +5208,7 @@
allow cupsd_t cupsd_exec_t:lnk_file read;
manage_files_pattern(cupsd_t,cupsd_log_t,cupsd_log_t)
-@@ -151,20 +149,23 @@
+@@ -151,20 +150,23 @@
corenet_tcp_bind_reserved_port(cupsd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
@@ -5224,7 +5233,7 @@
mls_fd_use_all_levels(cupsd_t)
mls_file_downgrade(cupsd_t)
-@@ -177,6 +178,7 @@
+@@ -177,6 +179,7 @@
term_search_ptys(cupsd_t)
auth_domtrans_chk_passwd(cupsd_t)
@@ -5232,7 +5241,7 @@
auth_dontaudit_read_pam_pid(cupsd_t)
# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
-@@ -199,14 +201,17 @@
+@@ -199,14 +202,17 @@
files_read_var_symlinks(cupsd_t)
# for /etc/printcap
files_dontaudit_write_etc_files(cupsd_t)
@@ -5254,7 +5263,7 @@
libs_use_ld_so(cupsd_t)
libs_use_shared_libs(cupsd_t)
-@@ -214,6 +219,7 @@
+@@ -214,6 +220,7 @@
libs_read_lib_files(cupsd_t)
logging_send_syslog_msg(cupsd_t)
@@ -5262,7 +5271,7 @@
miscfiles_read_localization(cupsd_t)
# invoking ghostscript needs to read fonts
-@@ -223,6 +229,7 @@
+@@ -223,6 +230,7 @@
sysnet_read_config(cupsd_t)
@@ -5270,7 +5279,7 @@
userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
userdom_dontaudit_search_all_users_home_content(cupsd_t)
-@@ -233,6 +240,10 @@
+@@ -233,6 +241,10 @@
lpd_relabel_spool(cupsd_t)
')
@@ -5281,7 +5290,7 @@
ifdef(`targeted_policy',`
files_dontaudit_read_root_files(cupsd_t)
-@@ -284,6 +295,10 @@
+@@ -284,6 +296,10 @@
')
optional_policy(`
@@ -5292,7 +5301,7 @@
nscd_socket_use(cupsd_t)
')
-@@ -294,6 +309,10 @@
+@@ -294,6 +310,10 @@
')
optional_policy(`
@@ -5303,7 +5312,7 @@
seutil_sigchld_newrole(cupsd_t)
')
-@@ -587,7 +606,7 @@
+@@ -587,7 +607,7 @@
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
@@ -6966,7 +6975,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-2.6.4/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/mta.if 2007-11-06 10:44:21.000000000 -0500
++++ serefpolicy-2.6.4/policy/modules/services/mta.if 2007-12-02 21:56:29.000000000 -0500
@@ -87,6 +87,8 @@
# It wants to check for nscd
files_dontaudit_search_pids($1_mail_t)
@@ -7061,7 +7070,7 @@
create_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
read_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
-@@ -449,11 +486,12 @@
+@@ -449,11 +486,13 @@
interface(`mta_send_mail',`
gen_require(`
attribute mta_user_agent;
@@ -7074,10 +7083,11 @@
- domain_auto_trans($1, sendmail_exec_t, system_mail_t)
+ allow $1 mailclient_exec_type:lnk_file read_lnk_file_perms;
+ domain_auto_trans($1, mailclient_exec_type, system_mail_t)
++ allow system_mail_t mailclient_exec_type:file entrypoint;
allow $1 system_mail_t:fd use;
allow system_mail_t $1:fd use;
-@@ -847,6 +885,25 @@
+@@ -847,6 +886,25 @@
manage_files_pattern($1,mqueue_spool_t,mqueue_spool_t)
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/selinux-policy.spec,v
retrieving revision 1.508
retrieving revision 1.509
diff -u -r1.508 -r1.509
--- selinux-policy.spec 26 Nov 2007 16:04:14 -0000 1.508
+++ selinux-policy.spec 3 Dec 2007 02:58:08 -0000 1.509
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.6.4
-Release: 59%{?dist}
+Release: 60%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -363,6 +363,9 @@
%endif
%changelog
+* Sun Dec 2 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-60
+- Allow exim to be an entrypoint for system_mail_t
+
* Mon Nov 26 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-59
- Allow udev to relabel lnk_files on /dev
More information about the fedora-extras-commits
mailing list