rpms/selinux-policy/F-8 policy-20070703.patch, 1.153, 1.154 selinux-policy.spec, 1.592, 1.593
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Mon Dec 10 20:32:16 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv29457
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Thu Dec 6 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-67
- Allow kdm to transition to bootloader_t through grub
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.153
retrieving revision 1.154
diff -u -r1.153 -r1.154
--- policy-20070703.patch 7 Dec 2007 21:18:41 -0000 1.153
+++ policy-20070703.patch 10 Dec 2007 20:32:09 -0000 1.154
@@ -5591,6 +5591,35 @@
/dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.0.8/policy/modules/kernel/terminal.if
+--- nsaserefpolicy/policy/modules/kernel/terminal.if 2007-10-22 13:21:42.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/terminal.if 2007-12-10 09:32:14.000000000 -0500
+@@ -525,11 +525,13 @@
+ interface(`term_use_generic_ptys',`
+ gen_require(`
+ type devpts_t;
++ attribute server_ptynode;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devpts_t:dir list_dir_perms;
+ allow $1 devpts_t:chr_file { rw_term_perms lock append };
++ allow $1 server_ptynode:chr_file { getattr read write ioctl };
+ ')
+
+ ########################################
+@@ -547,9 +549,11 @@
+ interface(`term_dontaudit_use_generic_ptys',`
+ gen_require(`
+ type devpts_t;
++ attribute server_ptynode;
+ ')
+
+ dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
++ dontaudit $1 server_ptynode:chr_file { getattr read write ioctl };
+ ')
+
+ ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.te serefpolicy-3.0.8/policy/modules/kernel/terminal.te
--- nsaserefpolicy/policy/modules/kernel/terminal.te 2007-10-22 13:21:42.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/terminal.te 2007-12-02 21:15:34.000000000 -0500
@@ -10730,7 +10759,16 @@
/var/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.0.8/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/openvpn.te 2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/openvpn.te 2007-12-10 09:37:24.000000000 -0500
+@@ -35,7 +35,7 @@
+ # openvpn local policy
+ #
+
+-allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_tty_config };
++allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_chroot sys_tty_config };
+ allow openvpn_t self:process { signal getsched };
+
+ allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -108,6 +108,14 @@
dbus_system_bus_client_template(openvpn,openvpn_t)
dbus_connect_system_bus(openvpn_t)
@@ -18272,13 +18310,15 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.0.8/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.fc 2007-12-02 21:15:34.000000000 -0500
-@@ -10,3 +10,5 @@
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.fc 2007-12-10 14:53:06.000000000 -0500
+@@ -10,3 +10,7 @@
/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/rhythmbox -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
++/usr/bin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
++/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.8/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2007-10-22 13:21:40.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-12-02 21:15:34.000000000 -0500
@@ -18597,8 +18637,8 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-12-02 21:15:34.000000000 -0500
-@@ -5,36 +5,52 @@
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-12-10 14:39:10.000000000 -0500
+@@ -5,36 +5,57 @@
#
# Declarations
#
@@ -18635,6 +18675,11 @@
+unconfined_domain(unconfined_t)
+
++type unconfined_notrans_t;
++type unconfined_notrans_exec_t;
++init_system_domain(unconfined_notrans_t, unconfined_notrans_exec_t)
++role unconfined_r types unconfined_notrans_t;
++
########################################
#
# Local policy
@@ -18658,7 +18703,7 @@
libs_run_ldconfig(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
-@@ -42,37 +58,40 @@
+@@ -42,37 +63,40 @@
logging_run_auditctl(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
mount_run_unconfined(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@@ -18708,7 +18753,7 @@
')
optional_policy(`
-@@ -107,22 +126,22 @@
+@@ -107,22 +131,22 @@
optional_policy(`
oddjob_dbus_chat(unconfined_t)
')
@@ -18737,7 +18782,7 @@
')
optional_policy(`
-@@ -130,15 +149,10 @@
+@@ -130,15 +154,10 @@
')
optional_policy(`
@@ -18755,7 +18800,7 @@
')
optional_policy(`
-@@ -154,33 +168,20 @@
+@@ -154,33 +173,20 @@
')
optional_policy(`
@@ -18793,7 +18838,7 @@
')
optional_policy(`
-@@ -205,11 +206,22 @@
+@@ -205,11 +211,22 @@
')
optional_policy(`
@@ -18805,20 +18850,20 @@
+ mozilla_per_role_template(unconfined, unconfined_t, unconfined_r)
+ unconfined_domain(unconfined_mozilla_t)
+ allow unconfined_mozilla_t self:process { execstack execmem };
++')
++
++optional_policy(`
++ kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
')
optional_policy(`
- xserver_domtrans_xdm_xserver(unconfined_t)
-+ kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
-+')
-+
-+optional_policy(`
+ xserver_run_xdm_xserver(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+ xserver_xdm_rw_shm(unconfined_t)
')
########################################
-@@ -219,14 +231,28 @@
+@@ -219,14 +236,38 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
@@ -18847,6 +18892,16 @@
')
+
+corecmd_exec_all_executables(unconfined_t)
++
++########################################
++#
++# Unconfined notrans Local policy
++#
++
++allow unconfined_notrans_t self:process { execstack execmem };
++unconfined_domain_noaudit(unconfined_notrans_t)
++domtrans_pattern(unconfined_t, unconfined_notrans_exec_t, unconfined_notrans_t)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.0.8/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2007-10-22 13:21:40.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/userdomain.fc 2007-12-02 21:15:34.000000000 -0500
@@ -18858,7 +18913,7 @@
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-12-07 15:26:55.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-12-10 14:48:25.000000000 -0500
@@ -29,8 +29,9 @@
')
@@ -19984,7 +20039,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5559,3 +5770,399 @@
+@@ -5559,3 +5770,419 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -20131,6 +20186,26 @@
+
+########################################
+## <summary>
++## append all unprivileged users home files
++## files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_append_unpriv_users_home_content_files',`
++ gen_require(`
++ attribute user_home_dir_type, user_home_type;
++ ')
++
++ files_search_home($1)
++ append_files_pattern($1, user_home_dir_type, user_home_type)
++')
++
++########################################
++## <summary>
+## dontaudit search all users home directory
+## files.
+## </summary>
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.592
retrieving revision 1.593
diff -u -r1.592 -r1.593
--- selinux-policy.spec 7 Dec 2007 18:41:45 -0000 1.592
+++ selinux-policy.spec 10 Dec 2007 20:32:09 -0000 1.593
@@ -305,7 +305,7 @@
%triggerpostun targeted -- selinux-policy-targeted < 3.0.8-63-1
semanage user -a -P unconfined -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u 2> /dev/null
-semanage login -m -r s0-s0:c0.c1023 __default__ 2> /dev/null
+semanage login -m -s unconfined_u -r s0-s0:c0.c1023 __default__ 2> /dev/null
exit 0
%triggerpostun targeted -- selinux-policy-targeted < 3.0.8-14-1
More information about the fedora-extras-commits
mailing list