rpms/selinux-policy/F-8 policy-20070703.patch, 1.158, 1.159 selinux-policy.spec, 1.596, 1.597
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Fri Dec 21 21:46:18 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv11870
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Fri Dec 21 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-71
- add file context for nspluginwrapper
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.158
retrieving revision 1.159
diff -u -r1.158 -r1.159
--- policy-20070703.patch 21 Dec 2007 08:00:48 -0000 1.158
+++ policy-20070703.patch 21 Dec 2007 21:46:09 -0000 1.159
@@ -3250,7 +3250,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.0.8/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/mozilla.if 2007-12-13 08:25:49.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/apps/mozilla.if 2007-12-21 16:45:12.000000000 -0500
@@ -36,6 +36,8 @@
gen_require(`
type mozilla_conf_t, mozilla_exec_t;
@@ -3295,7 +3295,7 @@
# X access, Home files
manage_dirs_pattern($1_mozilla_t,$1_mozilla_home_t,$1_mozilla_home_t)
manage_files_pattern($1_mozilla_t,$1_mozilla_home_t,$1_mozilla_home_t)
-@@ -96,15 +111,37 @@
+@@ -96,15 +111,39 @@
relabel_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
relabel_lnk_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
@@ -3333,15 +3333,20 @@
+ userdom_manage_user_home_content_dirs($1,$1_mozilla_t)
+ userdom_manage_user_home_content_files($1,$1_mozilla_t)
+ userdom_read_user_home_content_symlinks($1,$1_mozilla_t)
++ userdom_user_home_dir_filetrans_user_home_content($1,$1_mozilla_t, { file dir })
+ ', `
+ # helper apps will try to create .files
+ userdom_dontaudit_create_user_home_content_files($1,$1_mozilla_t)
++ userdom_user_home_dir_filetrans($1,$1_mozilla_t, $1_mozilla_home_t,dir)
+ ')
# Unrestricted inheritance from the caller.
allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh };
-@@ -115,8 +152,9 @@
+@@ -113,10 +152,12 @@
+ allow $2 $1_mozilla_t:process signal_perms;
+
kernel_read_kernel_sysctls($1_mozilla_t)
++ kernel_read_fs_sysctls($1_mozilla_t)
kernel_read_network_state($1_mozilla_t)
# Access /proc, sysctl
- kernel_read_system_state($1_mozilla_t)
@@ -3352,7 +3357,7 @@
# Look for plugins
corecmd_list_bin($1_mozilla_t)
-@@ -165,11 +203,23 @@
+@@ -165,10 +206,23 @@
files_read_var_files($1_mozilla_t)
files_read_var_symlinks($1_mozilla_t)
files_dontaudit_getattr_boot_dirs($1_mozilla_t)
@@ -3370,13 +3375,13 @@
+ fs_manage_dos_dirs($1_mozilla_t)
+ fs_manage_dos_files($1_mozilla_t)
fs_rw_tmpfs_files($1_mozilla_t)
-
-+ selinux_dontaudit_getattr_fs($1_mozilla_t)
++ fs_read_noxattr_fs_files($1_mozilla_t)
+
++ selinux_dontaudit_getattr_fs($1_mozilla_t)
+
term_dontaudit_getattr_pty_dirs($1_mozilla_t)
- libs_use_ld_so($1_mozilla_t)
-@@ -184,16 +234,14 @@
+@@ -184,16 +238,13 @@
sysnet_dns_name_resolve($1_mozilla_t)
sysnet_read_config($1_mozilla_t)
@@ -3388,7 +3393,6 @@
- userdom_manage_user_tmp_sockets($1,$1_mozilla_t)
+ userdom_dontaudit_read_user_tmp_files($1,$1_mozilla_t)
+ userdom_dontaudit_use_user_terminals($1,$1_mozilla_t)
-+ userdom_user_home_dir_filetrans($1,$1_mozilla_t, $1_mozilla_home_t,dir)
xserver_user_client_template($1,$1_mozilla_t,$1_mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t)
@@ -3397,7 +3401,7 @@
tunable_policy(`allow_execmem',`
allow $1_mozilla_t self:process { execmem execstack };
-@@ -211,131 +259,8 @@
+@@ -211,131 +262,8 @@
fs_manage_cifs_symlinks($1_mozilla_t)
')
@@ -3531,7 +3535,7 @@
')
optional_policy(`
-@@ -350,21 +275,26 @@
+@@ -350,21 +278,27 @@
optional_policy(`
cups_read_rw_config($1_mozilla_t)
cups_dbus_chat($1_mozilla_t)
@@ -3543,7 +3547,8 @@
- dbus_send_system_bus($1_mozilla_t)
- dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t)
- dbus_send_user_bus($1,$1_mozilla_t)
-+# dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t)
++# dbus_send_user_bus(xguest,xguest_mozilla_t)
++# dbus_connectto_user_bus(xguest,xguest_mozilla_t)
')
optional_policy(`
@@ -3562,7 +3567,7 @@
')
optional_policy(`
-@@ -384,25 +314,6 @@
+@@ -384,25 +318,6 @@
thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t)
')
@@ -3588,7 +3593,7 @@
')
########################################
-@@ -575,3 +486,27 @@
+@@ -575,3 +490,27 @@
allow $2 $1_mozilla_t:tcp_socket rw_socket_perms;
')
@@ -3894,7 +3899,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc 2007-12-18 11:39:11.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc 2007-12-21 13:30:42.000000000 -0500
@@ -36,6 +36,11 @@
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -3951,7 +3956,7 @@
ifdef(`distro_gentoo', `
/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -259,3 +269,18 @@
+@@ -259,3 +269,23 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -3970,6 +3975,11 @@
+/etc/apcupsd/mastertimeout -- gen_context(system_u:object_r:bin_t,s0)
+/etc/apcupsd/offbattery -- gen_context(system_u:object_r:bin_t,s0)
+/etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0)
++
++/usr/lib/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/nspluginwrapper/npviewer -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/nspluginwrapper/npconfig -- gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.0.8/policy/modules/kernel/corenetwork.if.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2007-10-22 13:21:42.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.if.in 2007-12-02 21:15:34.000000000 -0500
@@ -5013,7 +5023,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.8/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2007-12-07 15:03:55.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2007-12-21 13:39:28.000000000 -0500
@@ -271,45 +271,6 @@
########################################
@@ -5481,8 +5491,8 @@
neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.0.8/policy/modules/kernel/storage.fc
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2007-10-22 13:21:41.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/storage.fc 2007-12-02 21:15:34.000000000 -0500
-@@ -6,6 +6,7 @@
++++ serefpolicy-3.0.8/policy/modules/kernel/storage.fc 2007-12-21 10:02:37.000000000 -0500
+@@ -6,18 +6,22 @@
/dev/n?pt[0-9]+ -c gen_context(system_u:object_r:tape_device_t,s0)
/dev/n?tpqic[12].* -c gen_context(system_u:object_r:tape_device_t,s0)
/dev/[shmx]d[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@@ -5490,7 +5500,13 @@
/dev/aztcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/bpcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/cdu.* -b gen_context(system_u:object_r:removable_device_t,s0)
-@@ -18,6 +19,8 @@
+ /dev/cm20.* -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
++/dev/drbd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/fd[^/]+ -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/flash[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/hitcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/ht[0-1] -b gen_context(system_u:object_r:tape_device_t,s0)
/dev/initrd -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@@ -5499,7 +5515,7 @@
/dev/jsfd -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/jsflash -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-@@ -31,6 +34,7 @@
+@@ -31,6 +35,7 @@
/dev/pcd[0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/pd[a-d][^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/pg[0-3] -c gen_context(system_u:object_r:removable_device_t,s0)
@@ -5507,7 +5523,7 @@
/dev/ram.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/rawctl -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/rd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-@@ -39,6 +43,7 @@
+@@ -39,6 +44,7 @@
')
/dev/s(cd|r)[^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/sbpcd.* -b gen_context(system_u:object_r:removable_device_t,s0)
@@ -5515,7 +5531,7 @@
/dev/sg[0-9]+ -c gen_context(system_u:object_r:scsi_generic_device_t,s0)
/dev/sjcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0)
-@@ -52,7 +57,7 @@
+@@ -52,7 +58,7 @@
/dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@@ -8075,7 +8091,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.0.8/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/dbus.if 2007-12-07 15:45:18.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/dbus.if 2007-12-21 16:31:32.000000000 -0500
@@ -50,6 +50,12 @@
## </param>
#
@@ -8165,7 +8181,7 @@
# For connecting to the bus
allow $3 $1_dbusd_t:unix_stream_socket connectto;
-@@ -271,6 +297,32 @@
+@@ -271,6 +297,60 @@
allow $2 $1_dbusd_t:dbus send_msg;
')
@@ -8194,11 +8210,39 @@
+ allow $2 $1_dbusd_t:unix_stream_socket connectto;
+')
+
++########################################
++## <summary>
++## Chat on user/application specific DBUS.
++## </summary>
++## <param name="domain_prefix">
++## <summary>
++## The prefix of the domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++template(`dbus_chat_user_bus',`
++ gen_require(`
++ type $1_dbusd_t;
++ type $1_t;
++ class dbus send_msg;
++ ')
++
++ allow $2 $1_dbusd_t:dbus send_msg;
++ allow $1_dbusd_t $2:dbus send_msg;
++ allow $2 $1_t:dbus send_msg;
++ allow $1_t $2:dbus send_msg;
++')
+
########################################
## <summary>
## Read dbus configuration.
-@@ -286,6 +338,7 @@
+@@ -286,6 +366,7 @@
type dbusd_etc_t;
')
@@ -8206,7 +8250,7 @@
allow $1 dbusd_etc_t:file read_file_perms;
')
-@@ -346,3 +399,55 @@
+@@ -346,3 +427,55 @@
allow $1 system_dbusd_t:dbus *;
')
@@ -21087,11 +21131,20 @@
+## <summary>Policy for guest user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.0.8/policy/modules/users/guest.te
--- nsaserefpolicy/policy/modules/users/guest.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/users/guest.te 2007-12-04 14:31:41.000000000 -0500
-@@ -0,0 +1,3 @@
++++ serefpolicy-3.0.8/policy/modules/users/guest.te 2007-12-21 16:23:42.000000000 -0500
+@@ -0,0 +1,12 @@
+policy_module(guest,1.0.1)
+userdom_restricted_user_template(guest)
+userdom_restricted_user_template(gadmin)
++
++optional_policy(`
++ gen_require(`
++ type xguest_mozilla_t;
++ ')
++
++ dbus_chat_user_bus(xguest,xguest_mozilla_t)
++ dbus_connectto_user_bus(xguest,xguest_mozilla_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.0.8/policy/modules/users/logadm.fc
--- nsaserefpolicy/policy/modules/users/logadm.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/users/logadm.fc 2007-12-02 21:15:34.000000000 -0500
@@ -21190,8 +21243,8 @@
+## <summary>Policy for xguest user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.te serefpolicy-3.0.8/policy/modules/users/xguest.te
--- nsaserefpolicy/policy/modules/users/xguest.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/users/xguest.te 2007-12-07 15:55:04.000000000 -0500
-@@ -0,0 +1,60 @@
++++ serefpolicy-3.0.8/policy/modules/users/xguest.te 2007-12-21 14:05:50.000000000 -0500
+@@ -0,0 +1,55 @@
+policy_module(xguest,1.0.1)
+
+## <desc>
@@ -21247,11 +21300,6 @@
+ ')
+')
+
-+# The following lines are broken and had to be added by hand
-+#allow xguest_mozilla_t { xguest_dbusd_t self }:dbus send_msg;
-+#allow xguest_mozilla_t xguest_dbusd_t:dbus connectto;
-+#allow xguest_dbusd_t xguest_mozilla_t:dbus send_msg;
-+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.0.8/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2007-10-22 13:21:43.000000000 -0400
+++ serefpolicy-3.0.8/policy/support/obj_perm_sets.spt 2007-12-02 21:15:34.000000000 -0500
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.596
retrieving revision 1.597
diff -u -r1.596 -r1.597
--- selinux-policy.spec 21 Dec 2007 08:00:48 -0000 1.596
+++ selinux-policy.spec 21 Dec 2007 21:46:09 -0000 1.597
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 70%{?dist}
+Release: 71%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -382,6 +382,13 @@
%endif
%changelog
+* Fri Dec 21 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-71
+- add file context for nspluginwrapper
+
+* Fri Dec 21 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-70
+- Allow mount.crypto to work
+- Allow fsck to read file_t
+
* Wed Dec 12 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-69
- Allow ssh to read sym links in homedirs
More information about the fedora-extras-commits
mailing list