rpms/selinux-policy/F-8 policy-20070703.patch, 1.155, 1.156 selinux-policy.spec, 1.594, 1.595
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Mon Dec 17 22:50:51 UTC 2007
- Previous message (by thread): rpms/selinux-policy/devel policy-20071130.patch, 1.10, 1.11 selinux-policy.spec, 1.569, 1.570
- Next message (by thread): rpms/kernel/devel kernel.spec, 1.318, 1.319 linux-2.6-ath5k.patch, 1.7, 1.8 linux-2.6-rtl8180.patch, 1.2, 1.3 linux-2.6-wireless-pending.patch, 1.16, 1.17 linux-2.6-wireless.patch, 1.13, 1.14
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv6516
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Wed Dec 12 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-69
- Allow ssh to read sym links in homedirs
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.155
retrieving revision 1.156
diff -u -r1.155 -r1.156
--- policy-20070703.patch 10 Dec 2007 21:30:41 -0000 1.155
+++ policy-20070703.patch 17 Dec 2007 22:50:40 -0000 1.156
@@ -2353,8 +2353,8 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.0.8/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/usermanage.te 2007-12-02 21:15:34.000000000 -0500
-@@ -92,6 +92,7 @@
++++ serefpolicy-3.0.8/policy/modules/admin/usermanage.te 2007-12-17 10:55:24.000000000 -0500
+@@ -92,10 +92,12 @@
dev_read_urand(chfn_t)
auth_domtrans_chk_passwd(chfn_t)
@@ -2362,7 +2362,12 @@
auth_dontaudit_read_shadow(chfn_t)
# allow checking if a shell is executable
-@@ -297,9 +298,11 @@
+ corecmd_check_exec_shell(chfn_t)
++corecmd_exec_bin(chfn_t)
+
+ domain_use_interactive_fds(chfn_t)
+
+@@ -297,9 +299,11 @@
term_use_all_user_ttys(passwd_t)
term_use_all_user_ptys(passwd_t)
@@ -2374,7 +2379,7 @@
# allow checking if a shell is executable
corecmd_check_exec_shell(passwd_t)
-@@ -315,6 +318,7 @@
+@@ -315,6 +319,7 @@
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(passwd_t)
@@ -2382,7 +2387,7 @@
libs_use_ld_so(passwd_t)
libs_use_shared_libs(passwd_t)
-@@ -520,6 +524,10 @@
+@@ -520,6 +525,10 @@
mta_manage_spool(useradd_t)
optional_policy(`
@@ -2393,7 +2398,7 @@
dpkg_use_fds(useradd_t)
dpkg_rw_pipes(useradd_t)
')
-@@ -529,6 +537,12 @@
+@@ -529,6 +538,12 @@
')
optional_policy(`
@@ -3237,7 +3242,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.0.8/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/mozilla.if 2007-12-07 15:45:14.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/apps/mozilla.if 2007-12-13 08:25:49.000000000 -0500
@@ -36,6 +36,8 @@
gen_require(`
type mozilla_conf_t, mozilla_exec_t;
@@ -3270,7 +3275,19 @@
allow $1_mozilla_t self:fifo_file rw_fifo_file_perms;
allow $1_mozilla_t self:shm { unix_read unix_write read write destroy create };
allow $1_mozilla_t self:sem create_sem_perms;
-@@ -96,15 +106,37 @@
+@@ -71,6 +81,11 @@
+ # for bash - old mozilla binary
+ can_exec($1_mozilla_t, mozilla_exec_t)
+
++ domain_read_all_domains_state($1_mozilla_t)
++
++ fs_getattr_tmpfs($1_mozilla_t)
++ fs_manage_tmpfs_files($1_mozilla_t)
++
+ # X access, Home files
+ manage_dirs_pattern($1_mozilla_t,$1_mozilla_home_t,$1_mozilla_home_t)
+ manage_files_pattern($1_mozilla_t,$1_mozilla_home_t,$1_mozilla_home_t)
+@@ -96,15 +111,37 @@
relabel_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
relabel_lnk_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
@@ -3315,7 +3332,7 @@
# Unrestricted inheritance from the caller.
allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh };
-@@ -115,8 +147,9 @@
+@@ -115,8 +152,9 @@
kernel_read_kernel_sysctls($1_mozilla_t)
kernel_read_network_state($1_mozilla_t)
# Access /proc, sysctl
@@ -3327,7 +3344,7 @@
# Look for plugins
corecmd_list_bin($1_mozilla_t)
-@@ -165,11 +198,23 @@
+@@ -165,11 +203,23 @@
files_read_var_files($1_mozilla_t)
files_read_var_symlinks($1_mozilla_t)
files_dontaudit_getattr_boot_dirs($1_mozilla_t)
@@ -3351,7 +3368,7 @@
term_dontaudit_getattr_pty_dirs($1_mozilla_t)
libs_use_ld_so($1_mozilla_t)
-@@ -184,16 +229,14 @@
+@@ -184,16 +234,14 @@
sysnet_dns_name_resolve($1_mozilla_t)
sysnet_read_config($1_mozilla_t)
@@ -3372,7 +3389,7 @@
tunable_policy(`allow_execmem',`
allow $1_mozilla_t self:process { execmem execstack };
-@@ -211,131 +254,8 @@
+@@ -211,131 +259,8 @@
fs_manage_cifs_symlinks($1_mozilla_t)
')
@@ -3506,7 +3523,7 @@
')
optional_policy(`
-@@ -350,21 +270,26 @@
+@@ -350,21 +275,26 @@
optional_policy(`
cups_read_rw_config($1_mozilla_t)
cups_dbus_chat($1_mozilla_t)
@@ -3519,14 +3536,14 @@
- dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t)
- dbus_send_user_bus($1,$1_mozilla_t)
+# dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t)
-+ ')
-+
-+ optional_policy(`
-+ gnome_exec_gconf($1_mozilla_t)
-+ gnome_manage_user_gnome_config($1,$1_mozilla_t)
')
optional_policy(`
++ gnome_exec_gconf($1_mozilla_t)
++ gnome_manage_user_gnome_config($1,$1_mozilla_t)
++ ')
++
++ optional_policy(`
+ gnome_domtrans_user_gconf($1,$1_mozilla_t)
gnome_stream_connect_gconf_template($1,$1_mozilla_t)
')
@@ -3537,7 +3554,7 @@
')
optional_policy(`
-@@ -384,25 +309,6 @@
+@@ -384,25 +314,6 @@
thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t)
')
@@ -3563,7 +3580,7 @@
')
########################################
-@@ -575,3 +481,27 @@
+@@ -575,3 +486,27 @@
allow $2 $1_mozilla_t:tcp_socket rw_socket_perms;
')
@@ -3689,7 +3706,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.0.8/policy/modules/apps/vmware.te
--- nsaserefpolicy/policy/modules/apps/vmware.te 2007-10-22 13:21:41.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/vmware.te 2007-12-02 21:33:52.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/apps/vmware.te 2007-12-13 10:47:36.000000000 -0500
@@ -22,17 +22,21 @@
type vmware_var_run_t;
files_pid_file(vmware_var_run_t)
@@ -3732,7 +3749,7 @@
dev_rw_vmware(vmware_host_t)
domain_use_interactive_fds(vmware_host_t)
-@@ -99,14 +107,6 @@
+@@ -99,14 +107,11 @@
')
netutils_domtrans_ping(vmware_host_t)
@@ -3741,13 +3758,17 @@
optional_policy(`
-allow kernel_t cardmgr_var_lib_t:dir { getattr search };
-allow kernel_t cardmgr_var_lib_t:file { getattr ioctl read };
--')
++ unconfined_domain(vmware_host_t)
+ ')
-# Vmware create network devices
-allow kernel_t self:capability net_admin;
-allow kernel_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
-allow kernel_t self:socket create;
-+ unconfined_domain(vmware_host_t)
++
++optional_policy(`
++ xserver_xdm_rw_shm(vmware_host_t)
')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.0.8/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if 2007-10-22 13:21:41.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/wine.if 2007-12-02 21:15:34.000000000 -0500
@@ -3991,7 +4012,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-10-22 13:21:41.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in 2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in 2007-12-13 16:59:06.000000000 -0500
@@ -55,6 +55,11 @@
type reserved_port_t, port_type, reserved_port_type;
@@ -4052,7 +4073,13 @@
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postgresql, tcp,5432,s0)
-@@ -146,7 +157,7 @@
+@@ -141,12 +152,12 @@
+ network_port(rsh, tcp,514,s0)
+ network_port(rsync, tcp,873,s0, udp,873,s0)
+ network_port(rwho, udp,513,s0)
+-network_port(smbd, tcp,139,s0, tcp,445,s0)
++network_port(smbd, tcp,137-139,s0, tcp,445,s0)
+ network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
network_port(spamd, tcp,783,s0)
network_port(ssh, tcp,22,s0)
@@ -8254,6 +8281,55 @@
+ unconfined_use_terminals(system_dbusd_t)
+')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.if serefpolicy-3.0.8/policy/modules/services/dcc.if
+--- nsaserefpolicy/policy/modules/services/dcc.if 2007-10-22 13:21:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/dcc.if 2007-12-13 15:57:40.000000000 -0500
+@@ -72,6 +72,24 @@
+
+ ########################################
+ ## <summary>
++## Send a signal to the dcc_client.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dcc_signal_client',`
++ gen_require(`
++ type dcc_client_t;
++ ')
++
++ allow $1 dcc_client_t:process signal;
++')
++
++########################################
++## <summary>
+ ## Execute dcc_client in the dcc_client domain, and
+ ## allow the specified role the dcc_client domain.
+ ## </summary>
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.0.8/policy/modules/services/dcc.te
+--- nsaserefpolicy/policy/modules/services/dcc.te 2007-10-22 13:21:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/dcc.te 2007-12-13 15:53:15.000000000 -0500
+@@ -124,7 +124,7 @@
+ # dcc procmail interface local policy
+ #
+
+-allow dcc_client_t self:capability setuid;
++allow dcc_client_t self:capability { setgid setuid };
+ allow dcc_client_t self:unix_dgram_socket create_socket_perms;
+ allow dcc_client_t self:udp_socket create_socket_perms;
+
+@@ -148,6 +148,8 @@
+ files_read_etc_files(dcc_client_t)
+ files_read_etc_runtime_files(dcc_client_t)
+
++kernel_read_system_state(dcc_client_t)
++
+ libs_use_ld_so(dcc_client_t)
+ libs_use_shared_libs(dcc_client_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.fc serefpolicy-3.0.8/policy/modules/services/dictd.fc
--- nsaserefpolicy/policy/modules/services/dictd.fc 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/dictd.fc 2007-12-02 21:15:34.000000000 -0500
@@ -11897,7 +11973,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.0.8/policy/modules/services/rpcbind.te
--- nsaserefpolicy/policy/modules/services/rpcbind.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/rpcbind.te 2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/rpcbind.te 2007-12-13 08:21:32.000000000 -0500
@@ -21,11 +21,13 @@
# rpcbind local policy
#
@@ -11913,6 +11989,14 @@
allow rpcbind_t self:tcp_socket create_stream_socket_perms;
manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t)
+@@ -37,6 +39,7 @@
+ manage_sock_files_pattern(rpcbind_t,rpcbind_var_lib_t,rpcbind_var_lib_t)
+ files_var_lib_filetrans(rpcbind_t,rpcbind_var_lib_t, { file dir sock_file })
+
++kernel_read_system_state(rpcbind_t)
+ kernel_read_network_state(rpcbind_t)
+
+ corenet_all_recvfrom_unlabeled(rpcbind_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.0.8/policy/modules/services/rpc.if
--- nsaserefpolicy/policy/modules/services/rpc.if 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/rpc.if 2007-12-02 21:15:34.000000000 -0500
@@ -12932,7 +13016,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.0.8/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/sendmail.te 2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/sendmail.te 2007-12-17 13:48:38.000000000 -0500
@@ -20,19 +20,22 @@
mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t)
@@ -12958,16 +13042,17 @@
allow sendmail_t sendmail_log_t:dir setattr;
manage_files_pattern(sendmail_t,sendmail_log_t,sendmail_log_t)
-@@ -49,6 +52,8 @@
+@@ -48,6 +51,9 @@
+ kernel_read_kernel_sysctls(sendmail_t)
# for piping mail to a command
kernel_read_system_state(sendmail_t)
-
-+auth_use_nsswitch(sendmail_t)
++kernel_read_network_state(sendmail_t)
+
++auth_use_nsswitch(sendmail_t)
+
corenet_all_recvfrom_unlabeled(sendmail_t)
corenet_all_recvfrom_netlabel(sendmail_t)
- corenet_tcp_sendrecv_all_if(sendmail_t)
-@@ -66,6 +71,8 @@
+@@ -66,6 +72,8 @@
fs_getattr_all_fs(sendmail_t)
fs_search_auto_mountpoints(sendmail_t)
@@ -12976,7 +13061,7 @@
term_dontaudit_use_console(sendmail_t)
# for piping mail to a command
-@@ -94,30 +101,34 @@
+@@ -94,30 +102,34 @@
miscfiles_read_certs(sendmail_t)
miscfiles_read_localization(sendmail_t)
@@ -13017,7 +13102,7 @@
')
optional_policy(`
-@@ -131,28 +142,33 @@
+@@ -131,28 +143,33 @@
')
optional_policy(`
@@ -13330,7 +13415,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.0.8/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/spamassassin.te 2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/spamassassin.te 2007-12-13 15:57:17.000000000 -0500
@@ -81,11 +81,12 @@
# var/lib files for spamd
@@ -13359,6 +13444,14 @@
fs_manage_cifs_files(spamd_t)
')
+@@ -171,6 +174,7 @@
+
+ optional_policy(`
+ dcc_domtrans_client(spamd_t)
++ dcc_signal_client(spamd_t)
+ dcc_stream_connect_dccifd(spamd_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.fc serefpolicy-3.0.8/policy/modules/services/squid.fc
--- nsaserefpolicy/policy/modules/services/squid.fc 2007-10-22 13:21:36.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/squid.fc 2007-12-02 21:15:34.000000000 -0500
@@ -13396,7 +13489,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.0.8/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/squid.te 2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/squid.te 2007-12-13 08:37:13.000000000 -0500
@@ -36,7 +36,7 @@
# Local policy
#
@@ -13638,7 +13731,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.0.8/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/ssh.te 2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/ssh.te 2007-12-12 16:38:01.000000000 -0500
@@ -24,7 +24,7 @@
# Type for the ssh-agent executable.
@@ -13648,16 +13741,18 @@
# ssh client executable.
type ssh_exec_t;
-@@ -80,6 +80,8 @@
+@@ -80,6 +80,10 @@
corenet_tcp_bind_xserver_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t)
+userdom_read_all_users_home_dirs_symlinks(sshd_t)
++userdom_read_all_users_home_content_files(sshd_t)
++userdom_read_all_users_home_dirs_symlinks(sshd_t)
+
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to
-@@ -100,6 +102,11 @@
+@@ -100,6 +104,11 @@
userdom_use_unpriv_users_ptys(sshd_t)
')
@@ -13669,7 +13764,7 @@
optional_policy(`
daemontools_service_domain(sshd_t, sshd_exec_t)
')
-@@ -119,7 +126,13 @@
+@@ -119,7 +128,13 @@
')
optional_policy(`
@@ -13684,7 +13779,7 @@
')
ifdef(`TODO',`
-@@ -231,9 +244,15 @@
+@@ -231,9 +246,15 @@
')
optional_policy(`
@@ -14528,7 +14623,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-12-06 20:54:55.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-12-12 16:40:57.000000000 -0500
@@ -16,6 +16,13 @@
## <desc>
@@ -14690,8 +14785,11 @@
# Talk to the console mouse server.
gpm_stream_connect(xdm_t)
gpm_setattr_gpmctl(xdm_t)
-@@ -350,10 +393,7 @@
+@@ -348,12 +391,10 @@
+ ')
+
optional_policy(`
++ unconfined_domain(xdm_xserver_t)
unconfined_domain(xdm_t)
unconfined_domtrans(xdm_t)
-
@@ -14702,7 +14800,7 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
-@@ -385,7 +425,7 @@
+@@ -385,7 +426,7 @@
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
@@ -14711,7 +14809,7 @@
# Label pid and temporary files with derived types.
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-@@ -397,6 +437,15 @@
+@@ -397,6 +438,15 @@
can_exec(xdm_xserver_t, xkb_var_lib_t)
files_search_var_lib(xdm_xserver_t)
@@ -14727,7 +14825,7 @@
# VNC v4 module in X server
corenet_tcp_bind_vnc_port(xdm_xserver_t)
-@@ -425,6 +474,14 @@
+@@ -425,6 +475,14 @@
')
optional_policy(`
@@ -14742,7 +14840,7 @@
resmgr_stream_connect(xdm_t)
')
-@@ -434,47 +491,26 @@
+@@ -434,47 +492,26 @@
')
optional_policy(`
@@ -15856,7 +15954,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.0.8/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/init.te 2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/init.te 2007-12-13 14:24:45.000000000 -0500
@@ -10,6 +10,20 @@
# Declarations
#
@@ -15979,10 +16077,16 @@
userdom_read_all_users_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -497,6 +511,47 @@
+@@ -496,6 +510,52 @@
+ ')
')
- optional_policy(`
++# Cron jobs used to start and stop services
++optional_policy(`
++ cron_read_pipes(daemon)
++')
++
++optional_policy(`
+ rhgb_use_ptys(daemon)
+')
+
@@ -16023,11 +16127,10 @@
+ ')
+')
+
-+optional_policy(`
+ optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
- ')
-@@ -632,12 +687,6 @@
+@@ -632,12 +692,6 @@
mta_read_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@@ -16040,7 +16143,7 @@
optional_policy(`
ifdef(`distro_redhat',`
-@@ -649,15 +698,10 @@
+@@ -649,15 +703,10 @@
')
optional_policy(`
@@ -16056,7 +16159,7 @@
openvpn_read_config(initrc_t)
')
-@@ -703,6 +747,9 @@
+@@ -703,6 +752,9 @@
# why is this needed:
rpm_manage_db(initrc_t)
@@ -16066,7 +16169,7 @@
')
optional_policy(`
-@@ -749,6 +796,12 @@
+@@ -749,6 +801,12 @@
')
')
@@ -16234,7 +16337,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.0.8/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/libraries.fc 2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/libraries.fc 2007-12-17 11:22:51.000000000 -0500
@@ -65,11 +65,15 @@
/opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -18322,7 +18425,7 @@
+/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.8/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-12-13 12:37:30.000000000 -0500
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -18914,7 +19017,7 @@
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-12-10 14:48:25.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-12-12 16:38:48.000000000 -0500
@@ -29,8 +29,9 @@
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.594
retrieving revision 1.595
diff -u -r1.594 -r1.595
--- selinux-policy.spec 10 Dec 2007 21:30:41 -0000 1.594
+++ selinux-policy.spec 17 Dec 2007 22:50:40 -0000 1.595
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 68%{?dist}
+Release: 69%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -303,8 +303,9 @@
exit 0
-%triggerpostun targeted -- selinux-policy-targeted < 3.0.8-63-1
+%triggerpostun targeted -- selinux-policy-targeted < 3.0.8-69-1
semanage user -a -P unconfined -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u 2> /dev/null
+semanage user -m -P unconfined -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u 2> /dev/null
semanage login -m -s unconfined_u -r s0-s0:c0.c1023 __default__ 2> /dev/null
exit 0
@@ -381,6 +382,9 @@
%endif
%changelog
+* Wed Dec 12 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-69
+- Allow ssh to read sym links in homedirs
+
* Mon Dec 10 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-68
- Allow ldconfig to manage files in the homedir
- Previous message (by thread): rpms/selinux-policy/devel policy-20071130.patch, 1.10, 1.11 selinux-policy.spec, 1.569, 1.570
- Next message (by thread): rpms/kernel/devel kernel.spec, 1.318, 1.319 linux-2.6-ath5k.patch, 1.7, 1.8 linux-2.6-rtl8180.patch, 1.2, 1.3 linux-2.6-wireless-pending.patch, 1.16, 1.17 linux-2.6-wireless.patch, 1.13, 1.14
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list