rpms/selinux-policy/devel policy-20071130.patch, 1.17, 1.18 selinux-policy.spec, 1.574, 1.575
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Thu Dec 20 21:26:37 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv31561
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Thu Dec 20 2007 Dan Walsh <dwalsh at redhat.com> 3.2.5-3
- Run rpm in system_r
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- policy-20071130.patch 19 Dec 2007 21:45:51 -0000 1.17
+++ policy-20071130.patch 20 Dec 2007 21:26:31 -0000 1.18
@@ -206,7 +206,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.2.5/policy/modules/admin/alsa.te
--- nsaserefpolicy/policy/modules/admin/alsa.te 2007-12-19 05:32:18.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/admin/alsa.te 2007-12-19 05:38:08.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/admin/alsa.te 2007-12-20 08:55:02.000000000 -0500
@@ -8,12 +8,15 @@
type alsa_t;
@@ -224,7 +224,7 @@
########################################
#
# Local policy
-@@ -30,11 +33,18 @@
+@@ -30,14 +33,23 @@
manage_lnk_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t)
files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
@@ -243,7 +243,12 @@
files_search_home(alsa_t)
files_read_etc_files(alsa_t)
-@@ -48,10 +58,7 @@
++auth_use_nsswitch(alsa_t)
++
+ libs_use_ld_so(alsa_t)
+ libs_use_shared_libs(alsa_t)
+
+@@ -48,10 +60,7 @@
userdom_manage_unpriv_user_semaphores(alsa_t)
userdom_manage_unpriv_user_shared_mem(alsa_t)
userdom_search_generic_user_home_dirs(alsa_t)
@@ -920,7 +925,7 @@
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.2.5/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2007-05-18 11:12:44.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/admin/rpm.if 2007-12-19 05:38:08.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/admin/rpm.if 2007-12-20 08:55:42.000000000 -0500
@@ -152,6 +152,24 @@
########################################
@@ -1002,7 +1007,7 @@
')
########################################
-@@ -289,3 +346,111 @@
+@@ -289,3 +346,137 @@
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
@@ -1114,6 +1119,32 @@
+ read_lnk_files_pattern($1,rpm_tmpfs_t,rpm_tmpfs_t)
+')
+
++########################################
++## <summary>
++## Transition to system_r when execute an init script
++## </summary>
++## <desc>
++## <p>
++## Execute rpm script in a specified role
++## </p>
++## <p>
++## No interprocess communication (signals, pipes,
++## etc.) is provided by this interface since
++## the domains are not owned by this module.
++## </p>
++## </desc>
++## <param name="source_role">
++## <summary>
++## Role to transition from.
++## </summary>
++## </param>
++interface(`rpm_role_transition',`
++ gen_require(`
++ type rpm_t;
++ ')
++
++ role_transition $1 rpm_t system_r;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.2.5/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2007-12-19 05:32:18.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/admin/rpm.te 2007-12-19 05:38:08.000000000 -0500
@@ -3699,7 +3730,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.2.5/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/kernel/files.if 2007-12-19 05:38:08.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/kernel/files.if 2007-12-20 16:15:45.000000000 -0500
@@ -1266,6 +1266,24 @@
########################################
@@ -5138,7 +5169,7 @@
+/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.2.5/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/cron.if 2007-12-19 05:38:09.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/cron.if 2007-12-20 14:02:12.000000000 -0500
@@ -35,38 +35,23 @@
#
template(`cron_per_role_template',`
@@ -5388,6 +5419,30 @@
## Read, and write cron daemon TCP sockets.
## </summary>
## <param name="domain">
+@@ -583,3 +495,23 @@
+
+ dontaudit $1 system_crond_tmp_t:file append;
+ ')
++
++
++########################################
++## <summary>
++## Read temporary files from the system cron jobs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cron_read_system_job_lib_files',`
++ gen_require(`
++ type system_crond_var_lib_t;
++ ')
++
++
++ read_files_pattern($1, system_crond_var_lib_t, system_crond_var_lib_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.2.5/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/cron.te 2007-12-19 05:38:09.000000000 -0500
@@ -6698,7 +6753,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.2.5/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/hal.te 2007-12-19 05:38:09.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/hal.te 2007-12-20 14:02:58.000000000 -0500
@@ -49,6 +49,9 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@@ -6782,11 +6837,14 @@
libs_use_ld_so(hald_mac_t)
libs_use_shared_libs(hald_mac_t)
-@@ -391,3 +412,4 @@
+@@ -391,3 +412,7 @@
libs_use_shared_libs(hald_keymap_t)
miscfiles_read_localization(hald_keymap_t)
+
++# This is caused by a bug in hald and PolicyKit.
++# Should be removed when this is fixed
++cron_read_system_job_lib_files(hald_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.2.5/policy/modules/services/inetd.te
--- nsaserefpolicy/policy/modules/services/inetd.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/inetd.te 2007-12-19 05:38:09.000000000 -0500
@@ -11742,7 +11800,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.2.5/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/fstools.te 2007-12-19 05:38:09.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/fstools.te 2007-12-20 16:16:24.000000000 -0500
@@ -109,8 +109,7 @@
term_use_console(fsadm_t)
@@ -11753,7 +11811,16 @@
#RedHat bug #201164
corecmd_exec_shell(fsadm_t)
-@@ -183,4 +182,5 @@
+@@ -132,6 +131,8 @@
+ # Access to /initrd devices
+ files_rw_isid_type_dirs(fsadm_t)
+ files_rw_isid_type_blk_files(fsadm_t)
++files_read_isid_type_files(fsadm_t)
++
+ # Recreate /mnt/cdrom.
+ files_manage_mnt_dirs(fsadm_t)
+ # for tune2fs
+@@ -183,4 +184,5 @@
optional_policy(`
xen_append_log(fsadm_t)
@@ -11811,7 +11878,7 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.2.5/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/system/init.if 2007-12-19 05:38:09.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/init.if 2007-12-20 08:48:00.000000000 -0500
@@ -211,6 +211,13 @@
kernel_dontaudit_use_fds($1)
')
@@ -14034,8 +14101,8 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.5/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/unconfined.te 2007-12-19 16:35:02.000000000 -0500
-@@ -9,32 +9,48 @@
++++ serefpolicy-3.2.5/policy/modules/system/unconfined.te 2007-12-20 09:13:54.000000000 -0500
+@@ -9,32 +9,49 @@
# usage in this module of types created by these
# calls is not correct, however we dont currently
# have another method to add access to these types
@@ -14054,6 +14121,7 @@
+allow system_r unconfined_r;
+allow unconfined_r system_r;
+init_script_role_transition(unconfined_r)
++rpm_role_transition(unconfined_r)
type unconfined_execmem_t;
type unconfined_execmem_exec_t;
@@ -14088,7 +14156,7 @@
libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-@@ -42,7 +58,10 @@
+@@ -42,7 +59,10 @@
logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
@@ -14099,7 +14167,7 @@
seutil_run_setfiles(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
seutil_run_semanage(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-@@ -51,13 +70,13 @@
+@@ -51,13 +71,13 @@
userdom_priveleged_home_dir_manager(unconfined_t)
optional_policy(`
@@ -14115,7 +14183,7 @@
unconfined_domain(httpd_unconfined_script_t)
')
-@@ -69,11 +88,11 @@
+@@ -69,11 +89,11 @@
bootloader_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
@@ -14132,7 +14200,7 @@
optional_policy(`
init_dbus_chat_script(unconfined_t)
-@@ -107,6 +126,10 @@
+@@ -107,6 +127,10 @@
optional_policy(`
oddjob_dbus_chat(unconfined_t)
')
@@ -14143,7 +14211,7 @@
')
optional_policy(`
-@@ -118,11 +141,7 @@
+@@ -118,11 +142,7 @@
')
optional_policy(`
@@ -14156,7 +14224,7 @@
')
optional_policy(`
-@@ -134,14 +153,6 @@
+@@ -134,14 +154,6 @@
')
optional_policy(`
@@ -14171,7 +14239,7 @@
oddjob_domtrans_mkhomedir(unconfined_t)
')
-@@ -154,33 +165,20 @@
+@@ -154,33 +166,20 @@
')
optional_policy(`
@@ -14209,7 +14277,7 @@
')
optional_policy(`
-@@ -205,11 +203,30 @@
+@@ -205,11 +204,30 @@
')
optional_policy(`
@@ -14242,34 +14310,34 @@
')
########################################
-@@ -219,14 +236,36 @@
+@@ -219,14 +237,32 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
+allow unconfined_execmem_t unconfined_t:process transition;
optional_policy(`
-+ init_dbus_chat_script(unconfined_execmem_t)
-+
- dbus_stub(unconfined_execmem_t)
-
-- init_dbus_chat_script(unconfined_execmem_t)
-+ dbus_connect_system_bus(unconfined_execmem_t)
-+ unconfined_dbus_connect(unconfined_execmem_t)
+- dbus_stub(unconfined_execmem_t)
+-
+ init_dbus_chat_script(unconfined_execmem_t)
++ dbus_system_bus_client_template(unconfined_execmem, unconfined_execmem_t)
unconfined_dbus_chat(unconfined_execmem_t)
++ unconfined_dbus_connect(unconfined_execmem_t)
++')
- optional_policy(`
-+ avahi_dbus_chat(unconfined_execmem_t)
-+ ')
-+
-+ optional_policy(`
- hal_dbus_chat(unconfined_execmem_t)
- ')
+- optional_policy(`
+- hal_dbus_chat(unconfined_execmem_t)
+- ')
++optional_policy(`
++ avahi_dbus_chat(unconfined_execmem_t)
++')
+
-+ optional_policy(`
-+ xserver_xdm_rw_shm(unconfined_execmem_t)
++optional_policy(`
++ hal_dbus_chat(unconfined_execmem_t)
++')
+
-+ ')
++optional_policy(`
++ xserver_xdm_rw_shm(unconfined_execmem_t)
')
+
+########################################
@@ -14295,7 +14363,7 @@
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.5/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2007-12-19 16:35:24.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2007-12-20 14:54:51.000000000 -0500
@@ -29,8 +29,9 @@
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.574
retrieving revision 1.575
diff -u -r1.574 -r1.575
--- selinux-policy.spec 19 Dec 2007 21:45:51 -0000 1.574
+++ selinux-policy.spec 20 Dec 2007 21:26:31 -0000 1.575
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.2.5
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -73,6 +73,9 @@
%{_usr}/share/selinux/devel/policy.*
%attr(755,root,root) %{_usr}/share/selinux/devel/policyhelp
+%check devel
+/usr/bin/sepolgen-ifgen -i %{buildroot}%{_usr}/share/selinux/devel/include -o /dev/null
+
%post devel
[ -x /usr/bin/sepolgen-ifgen ] && /usr/bin/sepolgen-ifgen
exit 0
@@ -383,6 +386,9 @@
%endif
%changelog
+* Thu Dec 20 2007 Dan Walsh <dwalsh at redhat.com> 3.2.5-3
+- Run rpm in system_r
+
* Wed Dec 19 2007 Dan Walsh <dwalsh at redhat.com> 3.2.5-2
- Zero out customizable types
More information about the fedora-extras-commits
mailing list